Merill's Note
For an app to access data in Microsoft Graph, the user or administrator must grant it the permissions it needs. This article lists all the Microsoft Graph APIs and your tenant data that can be accessed by the application (vendor/developer) if you consent to the UserAuthenticationMethod.Read permission.
If you need to create an audit report of the permissions granted to all the apps in your tenant, you can run the Export-MsIdAppConsentGrantReport command. See How To: Run a quick OAuth app audit of your tenant
Granting this permission allows the calling application to access (and/or update) the following information in your tenant.
Graph reference: authenticationMethod
| Property |
Type |
Description |
| id |
String |
The identifier of this instance of an authentication method registered to this user. Read-only. |
Graph reference: emailAuthenticationMethod
| Property |
Type |
Description |
| emailAddress |
String |
The email address registered to this user. |
| id |
String |
The identifier of the email address registered to this user. The ID is always 3ddfcfc8-9383-446f-83cc-3ab9be4be18f. |
Graph reference: fido2AuthenticationMethod
| Property |
Type |
Description |
| aaGuid |
String |
Authenticator Attestation GUID, an identifier that indicates the type (e.g. make and model) of the authenticator. |
| attestationCertificates |
String collection |
The attestation certificate(s) attached to this security key. |
| attestationLevel |
attestationLevel |
The attestation level of this FIDO2 security key. Possible values are: attested, or notAttested. |
| createdDateTime |
DateTimeOffset |
The timestamp when this key was registered to the user. |
| displayName |
String |
The display name of the key as given by the user. |
| id |
String |
The authentication method identifier. |
| model |
String |
The manufacturer-assigned model of the FIDO2 security key. |
Graph reference: microsoftAuthenticatorAuthenticationMethod
| Property |
Type |
Description |
| createdDateTime |
DateTimeOffset |
The date and time that this app was registered. This property is null if the device isn't registered for passwordless Phone Sign-In. |
| deviceTag |
String |
Tags containing app metadata. |
| displayName |
String |
The name of the device on which this app is registered. |
| id |
String |
A unique identifier for this authentication method. Inherited from authenticationMethod |
| phoneAppVersion |
String |
Numerical version of this instance of the Authenticator app. |
Graph reference: passwordAuthenticationMethod
| Property |
Type |
Description |
| createdDateTime |
DateTimeOffset |
The date and time when this password was last updated. This property is currently not populated. Read-only. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. |
| id |
String |
The identifier of this password registered to this user. This is generally 28c10230-6103-485e-b985-444c60001490. Read-only. |
| password |
String |
For security, the password is always returned as null from a LIST or GET operation. |
Graph reference: passwordlessmicrosoftauthenticatorauthenticationmethod
| Property |
Type |
Description |
| id |
String |
The authentication method identifier. |
| displayName |
String |
The display name of the mobile device as given by the user. |
| creationDateTime |
DateTimeOffset |
The timestamp when this method was registered to the user. |
Graph reference: phoneAuthenticationMethod
| Property |
Type |
Description |
| id |
String |
The identifier of this phone registered to this user. Read-only.
The value of ID is one of the following:b6332ec1-7057-4abe-9331-3d72feddfe41 - where phoneType is alternateMobile.e37fc753-ff3b-4958-9484-eaa9425c82bc - where phoneType is office.3179e48a-750b-4051-897c-87b9720928f7 - where phoneType is mobile.
|
| phoneNumber |
String |
The phone number to text or call for authentication. Phone numbers use the format +{country code} {number}x{extension}, with extension optional. For example, +1 5555551234 or +1 5555551234x123 are valid. Numbers are rejected when creating or updating if they don't match the required format. |
| phoneType |
authenticationPhoneType |
The type of this phone. Possible values are: mobile, alternateMobile, or office. |
| smsSignInState |
authenticationMethodSignInState |
Whether a phone is ready to be used for SMS sign-in or not. Possible values are: notSupported, notAllowedByPolicy, notEnabled, phoneNumberNotUnique, ready, or notConfigured, unknownFutureValue. |
Graph reference: softwareOathAuthenticationMethod
| Property |
Type |
Description |
| id |
String |
The authentication method identifier. |
| secretKey |
String |
The secret key of the method. Always returns null. |
Graph reference: strongAuthenticationRequirements
| Property |
Type |
Description |
| perUserMfaState |
perUserMfaState |
Sets the per-user MFA state for the user. The possible values are: disabled, enforced, enabled, unknownFutureValue. When you update a user's MFA state to enabled and the user has already registered an MFA method, their state changes automatically to enforced. |
Graph reference: temporaryAccessPassAuthenticationMethod
| Property |
Type |
Description |
| createdDateTime |
DateTimeOffset |
The date and time when the Temporary Access Pass was created. |
| id |
String |
The identifier of the Temporary Access Pass registered to this user. Inherited from entity. |
| isUsable |
Boolean |
The state of the authentication method that indicates whether it's currently usable by the user. |
| isUsableOnce |
Boolean |
Determines whether the pass is limited to a one-time use. If true, the pass can be used once; if false, the pass can be used multiple times within the Temporary Access Pass lifetime. |
| lifetimeInMinutes |
Int32 |
The lifetime of the Temporary Access Pass in minutes starting at startDateTime. Must be between 10 and 43200 inclusive (equivalent to 30 days). |
| methodUsabilityReason |
String |
Details about the usability state (isUsable). Reasons can include: EnabledByPolicy, DisabledByPolicy, Expired, NotYetValid, OneTimeUsed. |
| startDateTime |
DateTimeOffset |
The date and time when the Temporary Access Pass becomes available to use and when isUsable is true is enforced. |
| temporaryAccessPass |
String |
The Temporary Access Pass used to authenticate. Returned only on creation of a new **t |
Graph reference: webauthnCredentialCreationOptions
| Property |
Type |
Description |
| challengeTimeoutDateTime |
DateTimeOffset |
Defines when the challenge in the creation options is no longer valid. Expired challenges are rejected when you attempt to create a new fido2AuthenticationMethod. |
| publicKey |
webauthnCredentialCreationOptions |
Defines public key options for the creation of a new WebAuthn public key credential. |
Graph reference: windowsHelloForBusinessAuthenticationMethod
| Property |
Type |
Description |
| createdDateTime |
DateTimeOffset |
The date and time that this Windows Hello for Business key was registered. |
| displayName |
String |
The name of the device on which Windows Hello for Business is registered |
| id |
String |
A unique identifier for this authentication method. Inherited from authenticationMethod |
| keyStrength |
authenticationMethodKeyStrength |
Key strength of this Windows Hello for Business key. Possible values are: normal, weak, unknown. |