🔍 Code Extractor

class PermissionGrantConditionSet

Maturity: 53

A class representing a permission grant condition set that specifies matching rules in a permission grant policy to include or exclude permission grant events in Microsoft Graph API.

File:
/tf/active/vicechatdev/SPFCsync/venv/lib64/python3.11/site-packages/office365/directory/permissions/grants/condition_set.py
Lines:
5 - 58
Complexity:
moderate

Purpose

This class models a permission grant condition set used in Microsoft 365/Azure AD permission grant policies. It encapsulates conditions that must all be met for a permission grant event to match. The class provides read-only properties to access various filtering criteria including client application IDs, publisher IDs, verified publisher requirements, specific permissions, and resource applications. It inherits from Entity, making it part of the Microsoft Graph API object model.

Source Code

class PermissionGrantConditionSet(Entity):
    """
    A permission grant condition set is used to specify a matching rule in a permission grant policy to include
    or exclude a permission grant event.

    A permission grant condition set contains several conditions. For an event to match a permission grant condition
    set, all conditions must be met.
    """

    @property
    def client_application_ids(self):
        """
        A list of appId values for the client applications to match with, or a list with the single value all to
        match any client application. Default is the single value all.
        """
        return self.properties.get("clientApplicationIds", StringCollection())

    @property
    def client_application_publisher_ids(self):
        """
        A list of Microsoft Partner Network (MPN) IDs for verified publishers of the client application,  or a list
        with the single value all to match with client apps from any publisher. Default is the single value all.
        """
        return self.properties.get("clientApplicationPublisherIds", StringCollection())

    @property
    def client_applications_from_verified_publisher_only(self):
        """
        Set to true to only match on client applications with a verified publisher. Set to false to match on any client
        app, even if it does not have a verified publisher. Default is false.
        :rtype: bool
        """
        return self.properties.get("clientApplicationsFromVerifiedPublisherOnly", None)

    @property
    def permissions(self):
        """
        The list of id values for the specific permissions to match with, or a list with the single value all to
        match with any permission. The id of delegated permissions can be found in the oauth2PermissionScopes property
        of the API's servicePrincipal object. The id of application permissions can be found in the appRoles property
        of the API's servicePrincipal object. The id of resource-specific application permissions can be found in
        the resourceSpecificApplicationPermissions property of the API's servicePrincipal object.
        Default is the single value all.
        """
        return self.properties.get("permissions", StringCollection())

    @property
    def resource_application(self):
        """
        The appId of the resource application (e.g. the API) for which a permission is being granted, or any to match
        with any resource application or API. Default is any.
        :rtype: str
        """
        return self.properties.get("resourceApplication", None)

Parameters

Name Type Default Kind
bases Entity -

Parameter Details

__init__: Inherits constructor from Entity base class. The Entity base class typically accepts properties as a dictionary that populates the internal properties store used by all property accessors.

Return Value

Instantiation returns a PermissionGrantConditionSet object that provides access to condition set properties through read-only property accessors. Each property returns either a StringCollection (for list-based properties), bool, or str depending on the property type.

Class Interface

Methods

@property client_application_ids(self) -> StringCollection property

Purpose: Returns a list of appId values for client applications to match with, or 'all' to match any client application

Returns: StringCollection containing application IDs or the single value 'all'. Default is 'all'.

@property client_application_publisher_ids(self) -> StringCollection property

Purpose: Returns a list of Microsoft Partner Network (MPN) IDs for verified publishers of client applications

Returns: StringCollection containing MPN IDs or the single value 'all' to match any publisher. Default is 'all'.

@property client_applications_from_verified_publisher_only(self) -> bool property

Purpose: Indicates whether to match only client applications with verified publishers

Returns: Boolean value: true to match only verified publishers, false to match any client app. Default is false. May return None if not set.

@property permissions(self) -> StringCollection property

Purpose: Returns the list of specific permission IDs to match with, or 'all' to match any permission

Returns: StringCollection containing permission IDs (from oauth2PermissionScopes, appRoles, or resourceSpecificApplicationPermissions) or the single value 'all'. Default is 'all'.

@property resource_application(self) -> str property

Purpose: Returns the appId of the resource application (API) for which permission is being granted

Returns: String containing the appId of the resource application, or 'any' to match with any resource application or API. Default is 'any'. May return None if not set.

Attributes

Name Type Description Scope
properties dict Inherited from Entity base class. Internal dictionary storing all property values accessed by the property decorators. instance

Dependencies

  • office365

Required Imports

from office365.entity import Entity
from office365.runtime.types.collections import StringCollection

Usage Example

from office365.entity import Entity
from office365.runtime.types.collections import StringCollection
from office365.directory.permission_grant_condition_set import PermissionGrantConditionSet

# Typically instantiated through Microsoft Graph API client
# Example of accessing properties after retrieval:
condition_set = PermissionGrantConditionSet()

# Access client application IDs
app_ids = condition_set.client_application_ids
print(f"Client App IDs: {app_ids}")

# Check if only verified publishers are allowed
verified_only = condition_set.client_applications_from_verified_publisher_only
print(f"Verified publishers only: {verified_only}")

# Get resource application
resource_app = condition_set.resource_application
print(f"Resource application: {resource_app}")

# Access permissions list
permissions = condition_set.permissions
print(f"Permissions: {permissions}")

# Get publisher IDs
publisher_ids = condition_set.client_application_publisher_ids
print(f"Publisher IDs: {publisher_ids}")

Best Practices

  • This class is typically instantiated and populated by the Microsoft Graph API client, not manually constructed
  • All properties are read-only and return values from the internal properties dictionary
  • The class follows the Entity pattern where data is stored in a properties dictionary accessed via property decorators
  • Default values are handled internally: 'all' for collection properties, 'any' for resource_application, and false for verified publisher flag
  • When checking conditions, remember that ALL conditions in the set must be met for a match
  • StringCollection objects are returned for list-based properties, not plain Python lists
  • None may be returned for properties that haven't been set or retrieved from the API
  • This is a read-only data model class - modifications should be done through the Microsoft Graph API client methods

Tags

microsoft-graph azure-ad permissions authorization policy condition-set oauth2 security access-control entity

Similar Components

AI-powered semantic similarity - components with related functionality:

  • class PermissionGrantPolicy 78.4% similar

    A class representing a permission grant policy that specifies conditions under which consent can be granted, using include and exclude condition sets.

    From: /tf/active/vicechatdev/SPFCsync/venv/lib64/python3.11/site-packages/office365/directory/policies/permission_grant.py

  • class ConditionalAccessPolicy 60.3% similar

    Represents an Azure Active Directory conditional access policy entity that defines custom rules for access scenarios.

    From: /tf/active/vicechatdev/SPFCsync/venv/lib64/python3.11/site-packages/office365/directory/policies/conditional_access.py

  • class OAuth2PermissionGrant 59.8% similar

    Represents OAuth 2.0 delegated permissions granted to an application's service principal, allowing it to act on behalf of users when accessing APIs.

    From: /tf/active/vicechatdev/SPFCsync/venv/lib64/python3.11/site-packages/office365/directory/permissions/grants/oauth2.py

  • class ResourceSpecificPermissionGrant 59.5% similar

    Represents a resource-specific permission grant for an Azure AD application, providing read-only access to permission details granted to apps for Microsoft Graph resources.

    From: /tf/active/vicechatdev/SPFCsync/venv/lib64/python3.11/site-packages/office365/directory/permissions/grants/resource_specific.py

  • class SPO3rdPartyAADPermissionGrant 57.4% similar

    A SharePoint Online entity class representing a third-party Azure Active Directory (AAD) permission grant for SharePoint tenant administration.

    From: /tf/active/vicechatdev/SPFCsync/venv/lib64/python3.11/site-packages/office365/sharepoint/tenant/administration/internal/permission_grant.py
← Back to Browse