Show / Hide Table of Contents

Policy.ReadWrite.AuthenticationMethod

Allows the app to read and write the authentication method policies, on behalf of the signed-in user. 

Graph Methods

Type: A = Application Permission, D = Delegate Permission

Ver Type Method
V1 A,D DELETE /identity/conditionalAccess/authenticationStrengths/policies/{authenticationStrengthPolicyId}/combinationConfigurations/{authenticationCombinationConfigurationId}/$ref
V1 A,D DELETE /policies/authenticationMethodsPolicy/authenticationMethodConfigurations/email
V1 A,D DELETE /policies/authenticationMethodsPolicy/authenticationMethodConfigurations/fido2
V1 A,D DELETE /policies/authenticationMethodsPolicy/authenticationMethodConfigurations/microsoftAuthenticator
V1 D DELETE /policies/authenticationMethodsPolicy/authenticationMethodConfigurations/passwordlessMicrosoftAuthenticator
V1 A,D DELETE /policies/authenticationMethodsPolicy/authenticationMethodConfigurations/sms
V1 A,D DELETE /policies/authenticationMethodsPolicy/authenticationMethodConfigurations/softwareOath
V1 A,D DELETE /policies/authenticationMethodsPolicy/authenticationMethodConfigurations/temporaryAccessPass
V1 A,D DELETE /policies/authenticationMethodsPolicy/authenticationMethodConfigurations/voice
V1 A,D DELETE /policies/authenticationMethodsPolicy/authenticationMethodConfigurations/x509Certificate
V1 A,D DELETE /policies/authenticationStrengthPolicies/{authenticationStrengthPolicyId}/$ref
V1 A,D GET /identity/conditionalAccess/authenticationStrengths/authenticationMethodModes
V1 A,D GET /identity/conditionalAccess/authenticationStrengths/authenticationMethodModes/{authenticationMethodModeDetailId}
V1 A,D GET /identity/conditionalAccess/authenticationStrengths/policies/{authenticationStrengthPolicyId}/combinationConfigurations
V1 A,D GET /identity/conditionalAccess/authenticationStrengths/policies/{authenticationStrengthPolicyId}/combinationConfigurations/{authenticationCombinationConfigurationId}
V1 A,D GET /policies/authenticationMethodsPolicy
V1 A,D GET /policies/authenticationMethodsPolicy/authenticationMethodConfigurations/fido2
V1 A,D GET /policies/authenticationMethodsPolicy/authenticationMethodConfigurations/microsoftAuthenticator
V1 D GET /policies/authenticationMethodsPolicy/authenticationMethodConfigurations/passwordlessMicrosoftAuthenticator
V1 A,D GET /policies/authenticationMethodsPolicy/authenticationMethodConfigurations/sms
V1 A,D GET /policies/authenticationMethodsPolicy/authenticationMethodConfigurations/softwareOath
V1 A,D GET /policies/authenticationMethodsPolicy/authenticationMethodConfigurations/temporaryAccessPass
V1 A,D GET /policies/authenticationMethodsPolicy/authenticationMethodConfigurations/voice
V1 A,D GET /policies/authenticationMethodsPolicy/authenticationMethodConfigurations/x509Certificate
V1 A,D GET /policies/authenticationStrengthPolicies
V1 A,D GET /policies/authenticationStrengthPolicies/{authenticationStrengthPolicyId}
V1 A,D GET /policies/authenticationStrengthPolicies/{authenticationStrengthPolicyId}/usage
V1 A,D GET /policies/authenticationStrengthPolicies/findByMethodMode(authenticationMethodModes=["authenticationMethodMode"])
V1 A,D GET https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/email
V1 A,D GET https://graph.microsoft.com/v1.0/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/email
V1 A,D PATCH /identity/conditionalAccess/authenticationStrengths/policies/{authenticationStrengthPolicyId}/combinationConfigurations/{authenticationCombinationConfigurationId}
V1 A,D PATCH /policies/authenticationMethodsPolicy
V1 A,D PATCH /policies/authenticationMethodsPolicy/authenticationMethodConfigurations/email
V1 A,D PATCH /policies/authenticationMethodsPolicy/authenticationMethodConfigurations/fido2
V1 A,D PATCH /policies/authenticationMethodsPolicy/authenticationMethodConfigurations/microsoftAuthenticator
V1 D PATCH /policies/authenticationMethodsPolicy/authenticationMethodConfigurations/passwordlessMicrosoftAuthenticator
V1 A,D PATCH /policies/authenticationMethodsPolicy/authenticationMethodConfigurations/sms
V1 A,D PATCH /policies/authenticationMethodsPolicy/authenticationMethodConfigurations/softwareOath
V1 A,D PATCH /policies/authenticationMethodsPolicy/authenticationMethodConfigurations/TemporaryAccessPass
V1 A,D PATCH /policies/authenticationMethodsPolicy/authenticationMethodConfigurations/voice
V1 A,D PATCH /policies/authenticationMethodsPolicy/authenticationMethodConfigurations/x509Certificate
V1 A,D PATCH /policies/authenticationStrengthPolicies/{authenticationStrengthPolicyId}
V1 A,D PATCH /policies/b2cAuthenticationMethodsPolicy
V1 A,D POST /identity/conditionalAccess/authenticationStrengths/policies/{authenticationStrengthPolicyId}/combinationConfigurations
V1 A,D POST /policies/authenticationStrengthPolicies
V1 A,D POST /policies/authenticationStrengthPolicies/{authenticationStrengthPolicyId}/updateAllowedCombinations

Delegate Permission

Id 7e823077-d88e-468f-a337-e18f1f0e6c7c
Consent Type Admin
Display String Read and write authentication method policies
Description Allows the app to read and write the authentication method policies, on behalf of the signed-in user. 

Application Permission

Id 29c18626-4985-4dcd-85c0-193eef327366
Display String Read and write all authentication method policies 
Description Allows the app to read and write all authentication method policies for the tenant, without a signed-in user. 

Resources

authenticationCombinationConfiguration

Property Type Description
appliesToCombinations authenticationMethodModes collection Which authentication method combinations this configuration applies to. Must be an allowedCombinations object that's defined for the authenticationStrengthPolicy. The only possible value for fido2combinationConfigurations is "fido2".
id String A unique system-generated identifier. Inherited from entity.

authenticationMethodConfiguration

Property Type Description
id String The policy name.
state authenticationMethodState The state of the policy. Possible values are: enabled, disabled.

authenticationMethodModeDetail

Property Type Description
authenticationMethod baseAuthenticationMethod The authentication method that this mode modifies. The possible values are: password, voice, hardwareOath, softwareOath, sms, fido2, windowsHelloForBusiness, microsoftAuthenticator, temporaryAccessPass, email, x509Certificate, federation, unknownFutureValue.
displayName String The display name of this mode
id String The system-generated identifier for this mode. Inherited from entity.

authenticationmethodspolicies-overview

authenticationMethodsPolicy

Property Type Description
description String A description of the policy. Read-only.
displayName String The name of the policy. Read-only.
id String The identifier of the policy. Inherited from entity.
lastModifiedDateTime DateTimeOffset The date and time of the last update to the policy. Read-only.
policyVersion String The version of the policy in use. Read-only.
registrationEnforcement registrationEnforcement Enforce registration at sign-in time. This property can be used to remind users to set up targeted authentication methods.

authenticationStrengthPolicy

Property Type Description
allowedCombinations authenticationMethodModes collection A collection of authentication method modes that are required be used to satify this authentication strength.
createdDateTime DateTimeOffset The datetime when this policy was created.
description String The human-readable description of this policy.
displayName String The human-readable display name of this policy.

Supports $filter (eq, ne, not , and in).
id String The system-generated identifier for this mode. Inherited from entity.
modifiedDateTime DateTimeOffset The datetime when this policy was last modified.
policyType authenticationStrengthPolicyType A descriptor of whether this policy is built into Azure AD or created by an admin for the tenant. The possible values are: builtIn, custom, unknownFutureValue.

Supports $filter (eq, ne, not , and in).
requirementsSatisfied authenticationStrengthRequirements A descriptor of whether this authentication strength grants the MFA claim upon successful satisfaction. The possible values are: none, mfa, unknownFutureValue.

authenticationStrengthUsage

Property Type Description
mfa conditionalAccessPolicy collection A collection of Conditional Access policies that reference the specified authentication strength policy and that require an MFA claim.
none conditionalAccessPolicy collection A collection of Conditional Access policies that reference the specified authentication strength policy and that do not require an MFA claim.

b2cAuthenticationMethodsPolicy

Property Type Description
id String The id of the B2C authentication methods policy. This is a read only property and the key.
isEmailPasswordAuthenticationEnabled Boolean The tenant admin can configure local accounts using email if the email and password authentication method is enabled.
isUserNameAuthenticationEnabled Boolean The tenant admin can configure local accounts using username if the username and password authentication method is enabled.
isPhoneOneTimePasswordAuthenticationEnabled Boolean The tenant admin can configure local accounts using phone number if the phone number and one-time password authentication method is enabled.

emailAuthenticationMethodConfiguration

Property Type Description
allowExternalIdToUseEmailOtp externalEmailOtpState Determines whether email OTP is usable by external users for authentication. Possible values are: default, enabled, disabled, unknownFutureValue. Tenants in the default state who did not use public preview will automatically have email OTP enabled beginning in October 2021.
id String The authentication method policy identifier. Inherited from authenticationMethodConfiguration.
state authenticationMethodState Indicates whether this authentication method is enabled or not. Possible values are: enabled, disabled.

fido2AuthenticationMethodConfiguration

Property Type Description
id String The authentication method policy identifier.
isAttestationEnforced Boolean Determines whether attestation must be enforced for FIDO2 security key registration.
isSelfServiceRegistrationAllowed Boolean Determines if users can register new FIDO2 security keys.
keyRestrictions fido2KeyRestrictions Controls whether key restrictions are enforced on FIDO2 security keys, either allowing or disallowing certain key types as defined by Authenticator Attestation GUID (AAGUID), an identifier that indicates the type (e.g. make and model) of the authenticator.
state authenticationMethodState Possible values are: enabled, disabled.

fido2CombinationConfiguration

Property Type Description
allowedAAGUIDs String collection A list of AAGUIDs allowed to be used as part of the specified authentication method combinations.
appliesToCombinations authenticationMethodModes collection Which authentication method combinations this configuration applies to. The only possible value for fido2combinationConfigurations is "fido2". Inherited from authenticationCombinationConfiguration.
id String A system-generated identifier. Inherited from entity.

microsoftAuthenticatorAuthenticationMethodConfiguration

Property Type Description
id String The authentication method policy identifier.
featureSettings microsoftAuthenticatorFeatureSettings A collection of Microsoft Authenticator settings such as application context and location context, and whether they are enabled for all users or specific users only.
state authenticationMethodState Possible values are: enabled, disabled.

passwordlessmicrosoftauthenticatorauthenticationmethodconfiguration

Property Type Description
id String The authentication method policy identifier.
state authenticationMethodState Possible values are: enabled, disabled.

registrationEnforcement

Property Type Description
authenticationMethodsRegistrationCampaign authenticationMethodsRegistrationCampaign Run campaigns to remind users to set up targeted authentication methods.

smsAuthenticationMethodConfiguration

Property Type Description
excludeTargets excludeTarget collection Groups of users that are excluded from the policy.
id String The authentication method policy identifier.
state authenticationMethodState Possible values are: enabled, disabled.

softwareOathAuthenticationMethodConfiguration

Property Type Description
excludeTargets excludeTarget collection Groups of users that are excluded from the policy.
id String The authentication method policy identifier.
state authenticationMethodState Represents whether users can register this authentication method. The possible values are: enabled, disabled.

temporaryAccessPassAuthenticationMethodConfiguration

Property Type Description
defaultLength Int Default length in characters of a Temporary Access Pass object. Must be between 8 and 48 characters.
defaultLifetimeInMinutes Int Default lifetime in minutes for a Temporary Access Pass. Value can be any integer between the minimumLifetimeInMinutes and maximumLifetimeInMinutes.
id String The identifier of the authentication method policy. Inherited from entity.
isUsableOnce Boolean If true, all the passes in the tenant will be restricted to one-time use. If false, passes in the tenant can be created to be either one-time use or reusable.
maximumLifetimeInMinutes Int Maximum lifetime in minutes for any Temporary Access Pass created in the tenant. Value can be between 10 and 43200 minutes (equivalent to 30 days).
minimumLifetimeInMinutes Int Minimum lifetime in minutes for any Temporary Access Pass created in the tenant. Value can be between 10 and 43200 minutes (equivalent to 30 days).
state authenticationMethodState Whether the Temporary Access Pass method is enabled in the tenant. Possible values are: enabled, disabled. Inherited from authenticationMethodConfiguration.

updateAllowedCombinationsResult

Property Type Description
additionalInformation String Information about why the updateAllowedCombinations action was successful or failed.
conditionalAccessReferences String collection References to existing Conditional Access policies that use this authentication strength.
currentCombinations authenticationMethodModes collection The list of current authentication method combinations allowed by the authentication strength.
previousCombinations authenticationMethodModes collection The list of former authentication method combinations allowed by the authentication strength before they were updated through the updateAllowedCombinations action.

voiceAuthenticationMethodConfiguration

Property Type Description
excludeTargets excludeTarget collection Groups of users that are excluded from the policy.
id String The authentication method policy identifier.
isOfficePhoneAllowed Boolean true if users can register office phones, otherwise, false.
state authenticationMethodState Represents whether users can register this authentication method. The possible values are: enabled, disabled.

x509CertificateAuthenticationMethodConfiguration

Property Type Description
authenticationModeConfiguration x509CertificateAuthenticationModeConfiguration Defines strong authentication configurations. This configuration includes the default authentication mode and the different rules for strong authentication bindings.
certificateUserBindings x509CertificateUserBinding collection Defines fields in the X.509 certificate that map to attributes of the Azure AD user object in order to bind the certificate to the user. The priority of the object determines the order in which the binding is carried out. The first binding that matches will be used and the rest ignored.
id String The identifier for the authentication method policy. The value is always X509Certificate. Inherited from
state authenticationMethodState The possible values are: enabled, disabled. Inherited from authenticationMethodConfiguration.

x509CertificateAuthenticationModeConfiguration

Property Type Description
rules x509CertificateRule collection Rules are configured in addition to the authentication mode to bind a specific x509CertificateRuleType to an x509CertificateAuthenticationMode. For example, bind the policyOID with identifier 1.32.132.343 to x509CertificateMultiFactor authentication mode.
x509CertificateAuthenticationDefaultMode x509CertificateAuthenticationMode The type of strong authentication mode. The possible values are: x509CertificateSingleFactor, x509CertificateMultiFactor, unknownFutureValue.

x509CertificateUserBinding

Property Type Description
priority Int32 The priority of the binding. Azure AD uses the binding with the highest priority. This value must be a non-negative integer and unique in the collection of objects in the certificateUserBindings property of an x509CertificateAuthenticationMethodConfiguration object. Required
userProperty String Defines the Azure AD user property of the user object to use for the binding. The possible values are: userPrincipalName, onPremisesUserPrincipalName, certificateUserIds. Required.
x509CertificateField String The field on the X.509 certificate to use for the binding. The possible values are: PrincipalName, RFC822Name, SubjectKeyIdentifier, SHA1PublicKey.
In This Article
Back to top Created by merill | Submit feedback