MutualTlsOauthConfiguration.ReadWrite.All

Allows the app to read and update configuration used for OAuth 2.0 mutual-TLS client authentication, on behalf of the signed-in user. This includes adding and updating trusted certificate authorities.

Merill's Note

For an app to access data in Microsoft Graph, the user or administrator must grant it the permissions it needs. This article lists all the Microsoft Graph APIs and your tenant data that can be accessed by the application (vendor/developer) if you consent to the MutualTlsOauthConfiguration.ReadWrite.All permission.

If you need to create an audit report of the permissions granted to all the apps in your tenant, you can run the Export-MsIdAppConsentGrantReport command. See How To: Run a quick OAuth app audit of your tenant

Category	Application	Delegated
Identifier	78bbf8cf-07d8-45ba-b0eb-1a7b48efbcf1	a51115bc-f64f-498f-bcee-00dcd28f4a03
DisplayText	Read and write all configurations used for mutual-TLS client authentication.	Read and write all configurations used for mutual-TLS client authentication.
Description	Allows the app to read and update configuration used for OAuth 2.0 mutual-TLS client authentication, without a signed-in user. This includes reading and updating trusted certificate authorities.	Allows the app to read and update configuration used for OAuth 2.0 mutual-TLS client authentication, on behalf of the signed-in user. This includes adding and updating trusted certificate authorities.
AdminConsentRequired	Yes	Yes

Graph Methods

→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)

	Methods

→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)

	Methods
	DELETE /directory/certificateAuthorities/mutualTlsOauthConfigurations/{mutualTlsOauthConfigurationId}
	GET /certificateAuthorities/mutualTlsOauthConfigurations
	PATCH /directory/certificateAuthorities/mutualTlsOauthConfigurations/{mutualTlsOauthConfigurationId}
	POST /directory/certificateAuthorities/mutualTlsOauthConfigurations

Resources

Granting this permission allows the calling application to access (and/or update) the following information in your tenant.

certificateAuthority
mutualTlsOauthConfiguration

Graph reference: certificateAuthority

Property	Type	Description
certificate	Binary	Required. The base64 encoded string representing the public certificate.
certificateRevocationListUrl	String	The URL of the certificate revocation list.
deltaCertificateRevocationListUrl	String	The URL contains the list of all revoked certificates since the last time a full certificate revocaton list was created.
isRootAuthority	Boolean	Required. true if the trusted certificate is a root authority, false if the trusted certificate is an intermediate authority.
issuer	String	The issuer of the certificate, calculated from the certificate value. Read-only.
issuerSki	String	The subject key identifier of the certificate, calculated from the **c

Graph reference: mutualTlsOauthConfiguration

Property	Type	Description
certificateAuthorities	certificateAuthority collection	Multi-value property that represents a list of trusted certificate authorities. Inherited from trustedCertificateAuthorityBase.
deletedDateTime	DateTimeOffset	Date and time when this object was deleted. Always `null` when the object hasn't been deleted. Inherited from trustedCertificateAuthorityBase.
displayName	String	Friendly name. Supports `$filter` (`eq`, `in`).
id	String	The unique identifier for the mutualTlsOauthConfiguration object. Inherited from trustedCertificateAuthorityBase. Supports `$filter` (`eq`, `in`).
tlsClientAuthParameter	tlsClientRegistrationMetadata	Specifies the field in the certificate that contains the subject ID. The possible values are: `tls_client_auth_subject_dn`, `tls_client_auth_san_dns`, `tls_client_auth_san_uri`, `tls_client_auth_san_ip`, `tls_client_auth_san_email`, `unknownFutureValue`.

Table of Contents

MutualTlsOauthConfiguration.ReadWrite.All

Graph Methods

Resources