Merill's Note
For an app to access data in Microsoft Graph, the user or administrator must grant it the permissions it needs. This article lists all the Microsoft Graph APIs and your tenant data that can be accessed by the application (vendor/developer) if you consent to the Policy.ReadWrite.AuthenticationMethod permission.
If you need to create an audit report of the permissions granted to all the apps in your tenant, you can run the Export-MsIdAppConsentGrantReport command. See How To: Run a quick OAuth app audit of your tenant
Granting this permission allows the calling application to access (and/or update) the following information in your tenant.
Graph reference: authenticationCombinationConfiguration
| Property |
Type |
Description |
| appliesToCombinations |
authenticationMethodModes collection |
Which authentication method combinations this configuration applies to. Must be an allowedCombinations object, part of the authenticationStrengthPolicy. The only possible value for fido2combinationConfigurations is "fido2". |
| id |
String |
A unique system-generated identifier. |
Graph reference: authenticationMethodConfiguration
| Property |
Type |
Description |
| excludeTargets |
excludeTarget collection |
Groups of users that are excluded from a policy. |
| id |
String |
The policy name. |
| state |
authenticationMethodState |
The state of the policy. Possible values are: enabled, disabled. |
Graph reference: authenticationMethodModeDetail
| Property |
Type |
Description |
| authenticationMethod |
baseAuthenticationMethod |
The authentication method that this mode modifies. The possible values are: password, voice, hardwareOath, softwareOath, sms, fido2, windowsHelloForBusiness, microsoftAuthenticator, temporaryAccessPass, email, x509Certificate, federation, unknownFutureValue, qrCodePin. Use the Prefer: include-unknown-enum-members request header to get the following value from this evolvable enum: qrCodePin. |
| displayName |
String |
The display name of this mode |
| id |
String |
The system-generated identifier for this mode. |
Graph reference: authenticationMethodsPolicy
| Property |
Type |
Description |
| description |
String |
A description of the policy. Read-only. |
| displayName |
String |
The name of the policy. Read-only. |
| id |
String |
The identifier of the policy. Inherited from entity. |
| lastModifiedDateTime |
DateTimeOffset |
The date and time of the last update to the policy. Read-only. |
| policyVersion |
String |
The version of the policy in use. Read-only. |
| registrationEnforcement |
registrationEnforcement |
Enforce registration at sign-in time. This property can be used to remind users to set up targeted authentication methods. |
| policyMigrationState |
authenticationMethodsPolicyMigrationState |
The state of migration of the authentication methods policy from the legacy multifactor authentication and self-service password reset (SSPR) policies. The possible values are:
premigration - means the authentication methods policy is used for authentication only, legacy policies are respected. migrationInProgress - means the authentication methods policy is used for both authentication and SSPR, legacy policies are respected. migrationComplete - means the authentication methods policy is used for authentication and SSPR, legacy policies are ignored. unknownFutureValue - Evolvable enumeration sentinel value. Do not use. |
Graph reference: authenticationMethodTarget
| Property |
Type |
Description |
| id |
String |
Object Id of a Microsoft Entra user or group. |
| isRegistrationRequired |
Boolean |
Determines if the user is enforced to register the authentication method. |
| targetType |
authenticationMethodTargetType |
Possible values are: user, group. |
Graph reference: authenticationStrengthPolicy
| Property |
Type |
Description |
| allowedCombinations |
authenticationMethodModes collection |
A collection of authentication method modes that are required be used to satify this authentication strength. |
| createdDateTime |
DateTimeOffset |
The datetime when this policy was created. |
| description |
String |
The human-readable description of this policy. |
| displayName |
String |
The human-readable display name of this policy.
Supports $filter (eq, ne, not , and in). |
| id |
String |
The system-generated identifier for this mode. |
| modifiedDateTime |
DateTimeOffset |
The datetime when this policy was last modified. |
| policyType |
authenticationStrengthPolicyType |
A descriptor of whether this policy is built into Microsoft Entra ID or created by an admin for the tenant. The possible values are: builtIn, custom, unknownFutureValue.
Supports $filter (eq, ne, not , and in). |
| requirementsSatisfied |
authenticationStrengthRequirements |
A descriptor of whether this authentication strength grants the MFA claim upon successful satisfaction. The possible values are: none, mfa, unknownFutureValue. |
Graph reference: authenticationStrengthUsage
| Property |
Type |
Description |
| mfa |
conditionalAccessPolicy collection |
A collection of Conditional Access policies that reference the specified authentication strength policy and that require an MFA claim. |
| none |
conditionalAccessPolicy collection |
A collection of Conditional Access policies that reference the specified authentication strength policy and that do not require an MFA claim. |
Graph reference: b2cAuthenticationMethodsPolicy
| Property |
Type |
Description |
| id |
String |
The ID of the B2C authentication methods policy. This is a read only property and the key. |
| isEmailPasswordAuthenticationEnabled |
Boolean |
The tenant admin can configure local accounts using email if the email and password authentication method is enabled. |
| isUserNameAuthenticationEnabled |
Boolean |
The tenant admin can configure local accounts using username if the username and password authentication method is enabled. |
| isPhoneOneTimePasswordAuthenticationEnabled |
Boolean |
The tenant admin can configure local accounts using phone number if the phone number and one-time password authentication method is enabled. |
Graph reference: emailAuthenticationMethodConfiguration
| Property |
Type |
Description |
| allowExternalIdToUseEmailOtp |
externalEmailOtpState |
Determines whether email OTP is usable by external users for authentication. Possible values are: default, enabled, disabled, unknownFutureValue. Tenants in the default state who didn't use public preview have email OTP enabled beginning in October 2021. |
| excludeTargets |
excludeTarget collection |
Groups of users that are excluded from the policy. |
| id |
String |
The authentication method policy identifier. Inherited from authenticationMethodConfiguration. |
| state |
authenticationMethodState |
Indicates whether this authentication method is enabled or not. Possible values are: enabled, disabled. |
Graph reference: excludeTarget
| Property |
Type |
Description |
| id |
String |
The object identifier of a Microsoft Entra user or group. |
| targetType |
authenticationMethodTargetType |
The type of the authentication method target. Possible values are: user, group, unknownFutureValue. |
Graph reference: externalAuthenticationMethodConfiguration
| Property |
Type |
Description |
| appId |
String |
appId for the app registration in Microsoft Entra ID representing the integration with the external provider. |
| displayName |
String |
Display name for the external authentication method. This name is shown to users during sign-in. |
| excludeTargets |
excludeTarget collection |
Groups of users excluded from the policy. Inherited from authenticationMethodConfiguration. |
| id |
String |
The unique identifier for this object. Read-only. Inherited from entity. |
| openIdConnectSetting |
openIdConnectSetting |
Open ID Connection settings used by this external authentication method. |
| state |
authenticationMethodState |
The state of the method in the policy. Inherited from authenticationMethodConfiguration. The possible values are: enabled, disabled. |
Graph reference: fido2AuthenticationMethodConfiguration
| Property |
Type |
Description |
| excludeTargets |
excludeTarget collection |
Groups of users that are excluded from the policy. |
| id |
String |
The authentication method policy identifier. |
| isAttestationEnforced |
Boolean |
Determines whether attestation must be enforced for FIDO2 security key registration. |
| isSelfServiceRegistrationAllowed |
Boolean |
Determines if users can register new FIDO2 security keys. |
| keyRestrictions |
fido2KeyRestrictions |
Controls whether key restrictions are enforced on FIDO2 security keys, either allowing or disallowing certain key types as defined by Authenticator Attestation GUID (AAGUID), an identifier that indicates the type (e.g. make and model) of the authenticator. |
| state |
authenticationMethodState |
Possible values are: enabled, disabled. |
Graph reference: fido2CombinationConfiguration
| Property |
Type |
Description |
| allowedAAGUIDs |
String collection |
A list of AAGUIDs allowed to be used as part of the specified authentication method combinations. |
| appliesToCombinations |
authenticationMethodModes collection |
Which authentication method combinations this configuration applies to. The only possible value is "fido2". Inherited from authenticationCombinationConfiguration. |
| id |
String |
A system-generated identifier. Inherited from entity. |
Graph reference: hardwareOathAuthenticationMethodConfiguration
| Property |
Type |
Description |
| excludeTargets |
excludeTarget collection |
Groups of users that are excluded from the policy. Inherited from authenticationMethodConfiguration. |
| id |
String |
The authentication method policy identifier. Inherited from entity. |
| state |
authenticationMethodState |
Possible values are: enabled, disabled. Inherited from authenticationMethodConfiguration. |
Graph reference: hardwareOathTokenAuthenticationMethodDevice
| Property |
Type |
Description |
| assignedTo |
identity |
User the token is assigned to. Nullable. Supports $filter (eq). |
| displayName |
String |
Name that can be provided to the hardware OATH token. Inherited from authenticationMethodDevice. |
| hashFunction |
hardwareOathTokenHashFunction |
Hash function of the hardrware token. The possible values are: hmacsha1 or hmacsha256. Default value is: hmacsha1. Supports $filter (eq). |
| id |
String |
Unique identifier of the hardware OATH token. Inherited from entity. |
| manufacturer |
String |
Manufacturer name of the hardware token. Supports $filter (eq). |
| model |
String |
Model name of the hardware token. Supports $filter (eq). |
| secretKey |
String |
Secret key of the specific hardware token, provided by the vendor. |
| serialNumber |
String |
Serial number of the specific hardware token, often found on the back of the device. Supports $select and $filter (eq). |
| status |
hardwareOathTokenStatus |
Status of the hardware OATH token.The possible values are: available, assigned, activated, failedActivation. Supports $filter(eq). |
| timeIntervalInSeconds |
Int32 |
Refresh interval of the 6-digit verification code, in seconds. The possible values are: 30 or 60. Supports $filter (eq). |
Graph reference: identity
| Property |
Type |
Description |
| displayName |
String |
The display name of the identity.
For drive items, the display name might not always be available or up to date. For example, if a user changes their display name the API might show the new value in a future response, but the items associated with the user don't show up as changed when using delta. |
| id |
String |
Unique identifier for the identity or actor. For example, in the access reviews decisions API, this property might record the id of the principal, that is, the group, user, or application that's subject to review. |
| tenantId |
String |
Unique identity of the tenant. Optional. |
| thumbnails |
thumbnailSet |
Keyed collection of thumbnail resources. Optional. Applies to drive items, for example. |
Graph reference: microsoftAuthenticatorAuthenticationMethodConfiguration
| Property |
Type |
Description |
| excludeTargets |
excludeTarget collection |
Groups of users that are excluded from the policy. |
| id |
String |
The authentication method policy identifier. |
| featureSettings |
microsoftAuthenticatorFeatureSettings |
A collection of Microsoft Authenticator settings such as application context and location context, and whether they are enabled for all users or specific users only. |
| state |
authenticationMethodState |
Possible values are: enabled, disabled. |
Graph reference: openIdConnectSetting
| Property |
Type |
Description |
| clientId |
String |
The Microsoft Entra ID's client ID as generated by the provider or admin to identify Microsoft Entra ID. In OIDC parlance, this is the client_id that external identity provider assigns to Microsoft Entra ID, which is also a recipient of a token from the external identity provider. |
| discoveryUrl |
String |
The host URL of the external identity provider's OIDC discovery endpoint. This endpoint must support the OIDC discovery process. |
Graph reference: qrCodePinAuthenticationMethodConfiguration
| Property |
Type |
Description |
| excludeTargets |
excludeTarget collection |
Groups of users that are excluded from the policy. Inherited from authenticationMethodConfiguration. |
| id |
String |
The identifier for the authentication method policy. The value is always QRCodePin. Inherits from entity |
| pinLength |
Int32 |
A memorized alphanumeric secret code. Minimum length is 8 as per NIST 800-63B and can't be longer than 20 digits. |
| standardQRCodeLifetimeInDays |
Int32 |
The maximum value is 395 days and the default value is 365 days. |
| state |
authenticationMethodState |
Inherited from authenticationMethodConfiguration. The possible values are: enabled, disabled. |
Graph reference: registrationEnforcement
| Property |
Type |
Description |
| authenticationMethodsRegistrationCampaign |
authenticationMethodsRegistrationCampaign |
Run campaigns to remind users to set up targeted authentication methods. |
Graph reference: reportSuspiciousActivitySettings
| Property |
Type |
Description |
| includeTarget |
includeTarget |
Group IDs in scope for report suspicious activity. |
| state |
advancedConfigState |
Specifies the state of the reportSuspiciousActivitySettings object. The possible values are: default, enabled, disabled, unknownFutureValue. Setting to default results in a disabled state. |
| voiceReportingCode |
Int32 |
Specifies the number the user enters on their phone to report the MFA prompt as suspicious. |
Graph reference: smsAuthenticationMethodConfiguration
| Property |
Type |
Description |
| excludeTargets |
excludeTarget collection |
Groups of users that are excluded from the policy. |
| id |
String |
The authentication method policy identifier. |
| state |
authenticationMethodState |
Possible values are: enabled, disabled. |
Graph reference: softwareOathAuthenticationMethodConfiguration
| Property |
Type |
Description |
| excludeTargets |
excludeTarget collection |
Groups of users that are excluded from the policy. |
| id |
String |
The authentication method policy identifier. |
| state |
authenticationMethodState |
Represents whether users can register this authentication method. The possible values are: enabled, disabled. |
Graph reference: strongAuthenticationRequirements
| Property |
Type |
Description |
| perUserMfaState |
perUserMfaState |
Sets the per-user MFA state for the user. The possible values are: disabled, enforced, enabled, unknownFutureValue. When you update a user's MFA state to enabled and the user has already registered an MFA method, their state changes automatically to enforced. |
Graph reference: systemCredentialPreferences
| Property |
Type |
Description |
| excludeTargets |
excludeTarget collection |
Users and groups excluded from the preferred authentication method experience of the system. |
| includeTargets |
includeTarget collection |
Users and groups included in the preferred authentication method experience of the system. |
| state |
advancedConfigState |
Indicates whether the feature is enabled or disabled. Possible values are: default, enabled, disabled, unknownFutureValue. The default value is used when the configuration hasn't been explicitly set, and uses the default behavior of Microsoft Entra ID for the setting. The default value is disabled. |
Graph reference: temporaryAccessPassAuthenticationMethodConfiguration
| Property |
Type |
Description |
| defaultLength |
Int |
Default length in characters of a Temporary Access Pass object. Must be between 8 and 48 characters. |
| defaultLifetimeInMinutes |
Int |
Default lifetime in minutes for a Temporary Access Pass. Value can be any integer between the minimumLifetimeInMinutes and maximumLifetimeInMinutes. |
| excludeTargets |
excludeTarget collection |
Groups of users that are excluded from the policy. |
| id |
String |
The identifier of the authentication method policy. Inherited from entity. |
| isUsableOnce |
Boolean |
If true, all the passes in the tenant will be restricted to one-time use. If false, passes in the tenant can be created to be either one-time use or reusable. |
| maximumLifetimeInMinutes |
Int |
Maximum lifetime in minutes for any Temporary Access Pass created in the tenant. Value can be between 10 and 43200 minutes (equivalent to 30 days). |
| minimumLifetimeInMinutes |
Int |
Minimum lifetime in minutes for any Temporary Access Pass created in the tenant. Value can be between 10 and 43200 minutes (equivalent to 30 days). |
| state |
authenticationMethodState |
Whether the Temporary Access Pass method is enabled in the tenant. Possible values are: enabled, disabled. Inherited from authenticationMethodConfiguration. |
Graph reference: updateAllowedCombinationsResult
| Property |
Type |
Description |
| additionalInformation |
String |
Information about why the updateAllowedCombinations action was successful or failed. |
| conditionalAccessReferences |
String collection |
References to existing Conditional Access policies that use this authentication strength. |
| currentCombinations |
authenticationMethodModes collection |
The list of current authentication method combinations allowed by the authentication strength. |
| previousCombinations |
authenticationMethodModes collection |
The list of former authentication method combinations allowed by the authentication strength before they were updated through the updateAllowedCombinations action. |
Graph reference: voiceAuthenticationMethodConfiguration
| Property |
Type |
Description |
| excludeTargets |
excludeTarget collection |
Groups of users that are excluded from the policy. |
| id |
String |
The authentication method policy identifier. |
| isOfficePhoneAllowed |
Boolean |
true if users can register office phones, otherwise, false. |
| state |
authenticationMethodState |
Represents whether users can register this authentication method. The possible values are: enabled, disabled. |
Graph reference: x509CertificateAuthenticationMethodConfiguration
| Property |
Type |
Description |
| authenticationModeConfiguration |
x509CertificateAuthenticationModeConfiguration |
Defines strong authentication configurations. This configuration includes the default authentication mode and the different rules for strong authentication bindings. |
| certificateUserBindings |
x509CertificateUserBinding collection |
Defines fields in the X.509 certificate that map to attributes of the Microsoft Entra user object in order to bind the certificate to the user. The priority of the object determines the order in which the binding is carried out. The first binding that matches will be used and the rest ignored. |
| crlValidationConfiguration |
x509CertificateCRLValidationConfiguration |
Determines whether certificate based authentication should fail if the issuing CA doesn't have a valid certificate revocation list configured. |
| excludeTargets |
excludeTarget collection |
Groups of users that are excluded from the policy. |
| id |
String |
The identifier for the authentication method policy. The value is always X509Certificate. Inherited from |
| state |
authenticationMethodState |
The possible values are: enabled, disabled. Inherited from authenticationMethodConfiguration. |
Graph reference: x509CertificateAuthenticationModeConfiguration
| Property |
Type |
Description |
| rules |
x509CertificateRule collection |
Rules are configured in addition to the authentication mode to bind a specific x509CertificateRuleType to an x509CertificateAuthenticationMode. For example, bind the policyOID with identifier 1.32.132.343 to x509CertificateMultiFactor authentication mode. |
| x509CertificateAuthenticationDefaultMode |
x509CertificateAuthenticationMode |
The type of strong authentication mode. The possible values are: x509CertificateSingleFactor, x509CertificateMultiFactor, unknownFutureValue. |
Graph reference: x509CertificateAuthorityScope
| Property |
Type |
Description |
| includeTargets |
includeTarget collection |
A collection of groups that are enabled to be in scope to use certificates issued by specific certificate authority. |
| publicKeyInfrastructureIdentifier |
String |
Public Key Infrastructure container object under which the certificate authorities are stored in the Entra PKI based trust store. |
| subjectKeyIdentifier |
String |
Subject Key Identifier that identifies the certificate authority uniquely. |
Graph reference: x509CertificateCombinationConfiguration
| Property |
Type |
Description |
| allowedIssuerSkis |
String collection |
A list of allowed subject key identifier values. |
| allowedPolicyOIDs |
String collection |
A list of allowed policy OIDs. |
| appliesToCombinations |
authenticationMethodModes collection |
Which authentication method combinations this configuration applies to. The possible values for x509certificatecombinationconfiguration are "x509CertificateSingleFactor" or "x509CertificateMultiFactor". Inherited from authenticationCombinationConfiguration. |
| id |
String |
A system-generated identifier. Inherited from entity. |
Graph reference: x509CertificateCRLValidationConfiguration
| Property |
Type |
Description |
| exemptedCertificateAuthoritiesSubjectKeyIdentifiers |
String collection |
Represents the SKIs of CAs that should be excluded from the valid CRL distribution point check. SKI is represented as a hexadecimal string. |
| state |
x509CertificateCRLValidationConfigurationState |
Describes whether valid CRLDistributionPoint is required from CAs for CBA to be successful. The possible values are: disabled, enabled, unknownFutureValue. |
Graph reference: x509CertificateUserBinding
| Property |
Type |
Description |
| priority |
Int32 |
The priority of the binding. Microsoft Entra ID uses the binding with the highest priority. This value must be a non-negative integer and unique in the collection of objects in the certificateUserBindings property of an x509CertificateAuthenticationMethodConfiguration object. Required |
| userProperty |
String |
Defines the Microsoft Entra user property of the user object to use for the binding. The possible values are: userPrincipalName, onPremisesUserPrincipalName, certificateUserIds. Required. |
| x509CertificateField |
String |
The field on the X.509 certificate to use for the binding. The possible values are: PrincipalName, RFC822Name, SubjectKeyIdentifier, SHA1PublicKey. |