Home
PowerShell
Update-MgPolicyAuthorizationPolicy

How to update Entra ID authorization policy using Microsoft Graph PowerShell

The Update-MgPolicyAuthorizationPolicy cmdlet lets you modify the settings of the authorization policy in Microsoft Entra ID (previously Azure AD). This policy controls core permissions and constraints for user and admin activities across your directory.

Update authorization policy using Microsoft Graph PowerShell

Prerequisites

Before using the cmdlet, ensure that the Microsoft Graph PowerShell module is installed. If not, install it using the following PowerShell command:
Install-Module Microsoft.Graph -Scope CurrentUser
Also, use the following PowerShell command to connect to Microsoft Graph with the required permissions (e.g., Policy.ReadWrite.Authorization):
Connect-MgGraph -Scopes "Policy.ReadWrite.Authorization"

Using the Update-MgPolicyAuthorizationPolicy cmdlet

Run the following Graph PowerShell command below to update a configuration in the authorization policy. Replace <policy-id> with the ID of the authorization policy and <object> with the updated property values:


                                Update-MgPolicyAuthorizationPolicy -AuthorizationPolicyId <policy-id> -DefaultUserRolePermissions <object>

Examples

Example 1: Restrict default user permissions

This Graph PowerShell command restricts users from creating applications:


                                Update-MgPolicyAuthorizationPolicy -AuthorizationPolicyId "authorizationPolicy" -DefaultUserRolePermissions @{ AllowedToCreateApps=$false }

Example 2: Allow downloading apps

This Graph PowerShell command allows users to download applications in the directory:


                                Update-MgPolicyAuthorizationPolicy -AuthorizationPolicyId "authorizationPolicy" -DefaultUserRolePermissions @{ AllowedToDownloadApps=$true }

Supported parameters

The following are some essential parameters that can be used along with the Update-MgPolicyAuthorizationPolicy command:

Parameters	Description
-AuthorizationPolicyId	The ID of the authorization policy (usually "authorizationPolicy" )
-DefaultUserRolePermissions	Updates the default user role permissions object
-AllowEmailVerifiedUsersToJoinOrganization	Allows email-verified users to join the organization
-IsAuthorizationPolicyEnabled	Enables or disables the authorization policy
-PassThru	Returns the updated object

Limitations of using Microsoft Graph PowerShell to update Entra ID authorization policy

PowerShell commands can become complicated with different use cases and scenarios.
IT admins can spend a lot of time debugging errors, which in turn negatively impacts productivity.
Delegation can be challenging, as technicians may need elevated privileges.

How ADManager Plus helps you manage Microsoft Entra ID

ADManager Plus, an identity governance and administration solution with comprehensive Microsoft Entra ID management and reporting capabilities, simplifies complex admin tasks from a single, user-friendly console:

Manage Entra ID users, contacts, groups, licenses, and other objects with a script-free, centralized console.
Reduce human errors by automating user provisioning, deprovisioning, and license assignment across various platforms.
Delegate Entra ID tasks to technicians without elevating their native privileges.
Keep a watchful eye with 200+ prepackaged reports for your Entra ID and AD environments.
Monitor delegated activities through smart workflows.
Ensure business continuity with AD, Entra ID, and Google Workspace backup and recovery.

Perform script-free Microsoft Entra ID management and reporting with ADManager Plus

Try it now for free

Update authorization policy using Microsoft Graph PowerShell
Examples
Supported parameters
Limitations of using Microsoft Graph PowerShell to update Entra ID authorization policy
How ADManager Plus helps you manage Microsoft Entra ID

Related features:

Related Powershell Guides: