authenticationStrengthPolicy: updateAllowedCombinations
Namespace: microsoft.graph
Important
APIs under the /beta
version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.
Update the allowedCombinations property of an authenticationStrengthPolicy object. To update other properties of an authenticationStrengthPolicy object, use the Update authenticationStrengthPolicy method.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Permissions.
Permission type | Permissions (from least to most privileged) |
---|---|
Delegated (work or school account) | Policy.ReadWrite.ConditionalAccess, Policy.ReadWrite.AuthenticationMethod |
Delegated (personal Microsoft account) | Not supported. |
Application | Policy.ReadWrite.ConditionalAccess, Policy.ReadWrite.AuthenticationMethod |
For delegated scenarios, the calling user must also be assigned the Conditional Access Administrator or Security Administrator Azure AD role.
HTTP request
POST /policies/authenticationStrengthPolicies/{authenticationStrengthPolicyId}/updateAllowedCombinations
Request headers
Name | Description |
---|---|
Authorization | Bearer {token}. Required. |
Content-Type | application/json. Required. |
Request body
In the request body, supply a JSON representation of the parameters.
The following table shows the parameters that can be used with this action.
Parameter | Type | Description |
---|---|---|
allowedCombinations | authenticationMethodModes collection | The authentication method combinations allowed by this authentication strength policy. The possible values of this flagged enum are: password , voice , hardwareOath , softwareOath , sms , fido2 , windowsHelloForBusiness , microsoftAuthenticatorPush , deviceBasedPush , temporaryAccessPassOneTime , temporaryAccessPassMultiUse , email , x509CertificateSingleFactor , x509CertificateMultiFactor , federatedSingleFactor , federatedMultiFactor , unknownFutureValue . For the list of allowed combinations, call the List authenticationMethodModes API. Required. |
Response
If successful, this action returns a 200 OK
response code and a updateAllowedCombinationsResult in the response body.
Examples
Request
The following is an example of a request.
POST https://graph.microsoft.com/beta/policies/authenticationStrengthPolicies/33c5d2c0-884e-4b5d-a5b8-5395082b092c/updateAllowedCombinations
Content-Type: application/json
Content-length: 51
{
"allowedCombinations": [
"password, voice"
]
}
Response
The following is an example of the response
Note: The response object shown here might be shortened for readability.
HTTP/1.1 200 OK
Content-Type: application/json
{
"@odata.type" : "#microsoft.graph.updateAllowedCombinationsResult",
"previousCombinations": [
"fido2",
"password, voice"
],
"currentCombinations": [
"password, voice"
],
"conditionalAccessReferences": [
"53a3968a-ae2c-4b82-a313-091d10c52bfa"
],
"additionalInformation": "You have lowered the security of the My Custom Strength authentication strength by adding a lower security combination. This Authentication Strength is referenced by one or more Conditional Access policies. Review conditionalAccessReferences to understand which Conditional Access policies were impacted by this change. To reverse your changes back, use updateAllowedCombinations action with the previousCombinations values."
}
Feedback
Submit and view feedback for