Parameter Attribute DataType Description Allowed Values
IsSingleInstance Key String Only valid value is 'Yes'. Yes
DisplayName Write String Display name for this policy.
Description Write String Description of this policy.
AllowedToSignUpEmailBasedSubscriptions Write Boolean Boolean Indicates whether users can sign up for email based subscriptions.
AllowedToUseSSPR Write Boolean Boolean Indicates whether the Self-Serve Password Reset feature can be used by users on the tenant.
AllowEmailVerifiedUsersToJoinOrganization Write Boolean Boolean Indicates whether a user can join the tenant by email validation.
AllowInvitesFrom Write String Indicates who can invite external users to the organization. Possible values are: None, AdminsAndGuestInviters, AdminsGuestInvitersAndAllMembers, Everyone. Everyone is the default setting for all cloud environments except US Government. None, AdminsAndGuestInviters, AdminsGuestInvitersAndAllMembers, Everyone
BlockMsolPowershell Write Boolean Boolean To disable the use of MSOL PowerShell, set this property to true. This will also disable user-based access to the legacy service endpoint used by MSOL PowerShell. This does not affect Azure AD Connect or Microsoft Graph.
DefaultUserRoleAllowedToCreateApps Write Boolean Boolean Indicates whether the default user role can create applications.
DefaultUserRoleAllowedToCreateSecurityGroups Write Boolean Boolean Indicates whether the default user role can create security groups.
DefaultUserRoleAllowedToReadOtherUsers Write Boolean Boolean Indicates whether the default user role can read other users.
GuestUserRole Write String The role that should be granted to guest users. Refer to List unifiedRoleDefinitions to find the list of available role templates. Only supported roles today are User, Guest User, and Restricted Guest User (2af84b1e-32c8-42b7-82bc-daa82404023b). Guest, RestrictedGuest, User
PermissionGrantPolicyIdsAssignedToDefaultUserRole Write StringArray[] String collection Indicates if user consent to apps is allowed, and if it is, which permission to grant consent and which app consent policy (permissionGrantPolicy) govern the permission for users to grant consent. Value should be in the format managePermissionGrantsForSelf.{id}, where {id} is the id of a built-in or custom app consent policy. An empty list indicates user consent to apps is disabled.
Ensure Write String Specify that the Azure Authorization Policy should exist. Present
Credential Write PSCredential Credentials for the Microsoft Graph delegated permissions.
ApplicationId Write String Id of the Azure Active Directory application to authenticate with.
TenantId Write String Id of the Azure Active Directory tenant used for authentication.
ApplicationSecret Write String Secret of the Azure Active Directory application to authenticate with.
CertificateThumbprint Write String Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.



This resource configures the Azure Active Directory Authorization Policy.

The policy is managed using the BETA API, some properties may have been added in the API but not in the resource

Azure AD Permissions

To authenticate via Microsoft Graph, this resource required the following Application permissions:

  • Automate
  • Policy.Read.All
  • Policy.ReadWrite.Authorization

  • Export

  • Policy.Read.All

NOTE: All permisions listed above require admin consent.


Example 1

This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline.

Configuration Example
        [Parameter(Mandatory = $true)]
    Import-DscResource -ModuleName Microsoft365DSC

    node localhost
        AADAuthorizationPolicy 'AADAuthPol'
            IsSingleInstance                                  = "Yes"
            Id                                                = "authorizationPolicy"
            DisplayName                                       = "Authorization Policy"
            Description                                       = "Used to manage authorization related settings across the company."
            AllowEmailVerifiedUsersToJoinOrganization         = $true
            AllowInvitesFrom                                  = "everyone"
            AllowedToSignUpEmailBasedSubscriptions            = $true
            AllowedToUseSspr                                  = $true
            BlockMsolPowerShell                               = $false
            DefaultUserRoleAllowedToCreateApps                = $true
            DefaultUserRoleAllowedToCreateSecurityGroups      = $true
            DefaultUserRoleAllowedToReadOtherUsers            = $true
            GuestUserRole                                     = "Guest"
            PermissionGrantPolicyIdsAssignedToDefaultUserRole = @()
            Ensure                                            = "Present"
            Credential                                        = $credsGlobalAdmin