Anthropic-Cybersecurity-Skills/skills/implementing-zero-trust-for-saas-applications/references/api-reference.md

API Reference: Zero Trust for SaaS Applications

Microsoft Graph API v1.0

Authentication

POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
Body: grant_type=client_credentials&client_id=X&client_secret=Y&scope=https://graph.microsoft.com/.default

Conditional Access

Method	Endpoint	Description
GET	/identity/conditionalAccess/policies	List CA policies
GET	/identity/conditionalAccess/policies/{id}	Get policy details

Enterprise Applications

Method	Endpoint	Description
GET	/servicePrincipals	List service principals
GET	/oauth2PermissionGrants	List OAuth consent grants
GET	/appRoleAssignments	List app role assignments

Identity Protection

Method	Endpoint	Description
GET	/identityProtection/riskyUsers	List at-risk users
GET	/identityProtection/riskDetections	Risk detection events

CA Policy Grant Controls

Control	Description
mfa	Require multi-factor authentication
compliantDevice	Require Intune-compliant device
domainJoinedDevice	Require hybrid Azure AD join
passwordChange	Force password change

Risky OAuth Scopes

Scope	Risk
Mail.ReadWrite	Full mailbox access
Files.ReadWrite.All	All OneDrive/SharePoint files
Directory.ReadWrite.All	Full directory modification

References

• Graph API: https://learn.microsoft.com/en-us/graph/api/overview
• Conditional Access: https://learn.microsoft.com/en-us/entra/identity/conditional-access/