CustomAuthenticationExtension.ReadWrite.All

Allows the app to read or write your organization's custom authentication extensions on behalf of the signed-in user.

Merill's Note

For an app to access data in Microsoft Graph, the user or administrator must grant it the permissions it needs. This article lists all the Microsoft Graph APIs and your tenant data that can be accessed by the application (vendor/developer) if you consent to the CustomAuthenticationExtension.ReadWrite.All permission.

If you need to create an audit report of the permissions granted to all the apps in your tenant, you can run the Export-MsIdAppConsentGrantReport command. See How To: Run a quick OAuth app audit of your tenant

Category	Application	Delegated
Identifier	c2667967-7050-4e7e-b059-4cbbb3811d03	8dfcf82f-15d0-43b3-bc78-a958a13a5792
DisplayText	Read and write all custom authentication extensions	Read and write your organization's custom authentication extensions
Description	Allows the app to read or write your organization's custom authentication extensions without a signed-in user.	Allows the app to read or write your organization's custom authentication extensions on behalf of the signed-in user.
AdminConsentRequired	Yes	Yes

Graph Methods

→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)

	Methods
	DELETE /identity/customAuthenticationExtensions/{customAuthenticationExtensionId}
	GET /identity/customAuthenticationExtensions
	GET /identity/customAuthenticationExtensions/{customAuthenticationExtensionId}
	PATCH /identity/customAuthenticationExtensions/{customAuthenticationExtensionId}
	POST /identity/customAuthenticationExtensions
	POST /identity/customAuthenticationExtensions/{customAuthenticationExtensionId}/validateAuthenticationConfiguration

→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)

	Methods
	DELETE /identity/customAuthenticationExtensions/{customAuthenticationExtensionId}
	GET /identity/customAuthenticationExtensions
	GET /identity/customAuthenticationExtensions/{customAuthenticationExtensionId}
	PATCH /identity/customAuthenticationExtensions/{customAuthenticationExtensionId}
	POST /identity/customAuthenticationExtensions
	POST /identity/customAuthenticationExtensions/{customAuthenticationExtensionId}/validateAuthenticationConfiguration

→ Command supports delegated access (access on behalf of a user)
→ Command supports app-only access (access without a user)

	Commands
	Get-MgIdentityCustomAuthenticationExtension
	New-MgIdentityCustomAuthenticationExtension
	Remove-MgIdentityCustomAuthenticationExtension
	Test-MgIdentityCustomAuthenticationExtensionAuthenticationConfiguration
	Update-MgIdentityCustomAuthenticationExtension

→ Command supports delegated access (access on behalf of a user)
→ Command supports app-only access (access without a user)

	Commands
	Get-MgBetaIdentityCustomAuthenticationExtension
	New-MgBetaIdentityCustomAuthenticationExtension
	Remove-MgBetaIdentityCustomAuthenticationExtension
	Test-MgBetaIdentityCustomAuthenticationExtensionAuthenticationConfiguration
	Update-MgBetaIdentityCustomAuthenticationExtension

Resources

Granting this permission allows the calling application to access (and/or update) the following information in your tenant.

Graph reference: authenticationConfigurationValidation

Property	Type	Description
errors	genericError collection	Errors in the validation result of a customAuthenticationExtension.
warnings	genericError collection	Warnings in the validation result of a customAuthenticationExtension.

Graph reference: customAuthenticationExtension

Property	Type	Description
authenticationConfiguration	customExtensionAuthenticationConfiguration	The authentication configuration for the customAuthenticationExtension. Inherited from customCalloutExtension.
clientConfiguration	customExtensionClientConfiguration	The connection settings for the customAuthenticationExtension. Inherited from customCalloutExtension.
description	String	The description of the customAuthenticationExtension. Inherited from customCalloutExtension.
displayName	String	The display name for the customAuthenticationExtension. Inherited from customCalloutExtension.
endpointConfiguration	customExtensionEndpointConfiguration	The HTTP endpoint that this custom extension calls. Inherited from customCalloutExtension.
id	String	Identifier for the customAuthenticationExtension. Inherited from entity.

Graph reference: customCalloutExtension

Property	Type	Description
authenticationConfiguration	customExtensionAuthenticationConfiguration	Configuration for securing the API call to the logic app. For example, using OAuth client credentials flow.
clientConfiguration	customExtensionClientConfiguration	HTTP connection settings that define how long Microsoft Entra ID can wait for a connection to a logic app, how many times you can retry a timed-out connection and the exception scenarios when retries are allowed.
description	String	Description for the customCalloutExtension object.
displayName	String	Display name for the customCalloutExtension object.
endpointConfiguration	customExtensionEndpointConfiguration	The type and details for configuring the endpoint to call the logic app's workflow.
id	String	Identifier for the customCalloutExtension object. Inherited from entity.

Graph reference: customExtensionClientConfiguration

Property	Type	Description
timeoutInMilliseconds	Int32	The max duration in milliseconds that Microsoft Entra ID waits for a response from the external app before it shuts down the connection. The valid range is between `200` and `2000` milliseconds. Default duration is `1000`.
maximumRetries	Int32	The max number of retries that Microsoft Entra ID makes to the external API. Values of 0 or 1 are supported. If `null`, the default for the service applies.

Graph reference: onAttributeCollectionStartCustomExtension

Property	Type	Description
authenticationConfiguration	customExtensionAuthenticationConfiguration	Configuration for securing the API call. For example, using OAuth client credentials flow. Inherited from customCalloutExtension.
clientConfiguration	customExtensionClientConfiguration	HTTP connection settings that define how long Microsoft Entra ID can wait for a connection, how many times you can retry a timed-out connection and the exception scenarios when retries are allowed. Inherited from customCalloutExtension.
description	String	Description for the onAttributeCollectionStartCustomExtension object. Inherited from customCalloutExtension.
displayName	String	Display name for the onAttributeCollectionStartCustomExtension object. Inherited from customCalloutExtension.
endpointConfiguration	customExtensionEndpointConfiguration	The type and details for configuring the endpoint to call the app's workflow. Inherited from customCalloutExtension.
id	String	Identifier for the onAttributeCollectionStartCustomExtension object. Inherited from entity. Inherited from entity.

Graph reference: onAttributeCollectionStartCustomExtensionHandler

Property	Type	Description
configuration	customExtensionOverwriteConfiguration	Configuration regarding properties of the custom extension that are can be overwritten per event listener.

Graph reference: onAttributeCollectionSubmitCustomExtension

Property	Type	Description
authenticationConfiguration	customExtensionAuthenticationConfiguration	Configuration for securing the API call. For example, using OAuth client credentials flow. Inherited from customCalloutExtension.
clientConfiguration	customExtensionClientConfiguration	HTTP connection settings that define how long Microsoft Entra ID can wait for a connection, how many times you can retry a timed-out connection and the exception scenarios when retries are allowed. Inherited from customCalloutExtension.
description	String	Description for the onAttributeCollectionSubmitCustomExtension object. Inherited from customCalloutExtension.
displayName	String	Display name for the onAttributeCollectionSubmitCustomExtension object. Inherited from customCalloutExtension.
endpointConfiguration	customExtensionEndpointConfiguration	The type and details for configuring the endpoint to call the app's workflow. Inherited from customCalloutExtension.
id	String	Identifier for the onAttributeCollectionSubmitCustomExtension object. Inherited from entity. Inherited from entity.

Graph reference: onAttributeCollectionSubmitCustomExtensionHandler

Property	Type	Description
configuration	customExtensionOverwriteConfiguration	Configuration regarding properties of the custom extension that can be overwritten per event listener.

Graph reference: onTokenIssuanceStartCustomExtension

Property	Type	Description
authenticationConfiguration	customExtensionAuthenticationConfiguration	The authentication configuration for this custom authentication extension. Inherited from customCalloutExtension.
claimsForTokenConfiguration	onTokenIssuanceStartReturnClaim collection	Collection of claims to be returned by the API called by this custom authentication extension. Used to populate claims mapping experience in Microsoft Entra admin center. Optional.
clientConfiguration	customExtensionClientConfiguration	The connection settings for the custom authentication extension. Inherited from customCalloutExtension.
description	String	Description for the custom authentication extension. Inherited from customCalloutExtension.
displayName	String	Display name for the custom authentication extension. Inherited from customCalloutExtension.
endpointConfiguration	customExtensionEndpointConfiguration	Configuration for the API endpoint that the custom authentication extension will call. Inherited from customCalloutExtension.
id	String	Identifier for onTokenIssuanceStartCustomExtension. Inherited from entity.

Graph reference: onTokenIssuanceStartReturnClaim

Property	Type	Description
claimIdInApiResponse	String	The identifier of the claim returned by an API that is to be add to a token being issued.

Table of Contents

CustomAuthenticationExtension.ReadWrite.All

Graph Methods

Resources