authenticationStrengthPolicy: updateAllowedCombinations

Namespace: microsoft.graph


APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.

Update the allowedCombinations property of an authenticationStrengthPolicy object. To update other properties of an authenticationStrengthPolicy object, use the Update authenticationStrengthPolicy method.


One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Permissions.

Permission type Permissions (from least to most privileged)
Delegated (work or school account) Policy.ReadWrite.ConditionalAccess, Policy.ReadWrite.AuthenticationMethod
Delegated (personal Microsoft account) Not supported.
Application Policy.ReadWrite.ConditionalAccess, Policy.ReadWrite.AuthenticationMethod

For delegated scenarios, the calling user must also be assigned the Conditional Access Administrator or Security Administrator Azure AD role.

HTTP request

POST /policies/authenticationStrengthPolicies/{authenticationStrengthPolicyId}/updateAllowedCombinations

Request headers

Name Description
Authorization Bearer {token}. Required.
Content-Type application/json. Required.

Request body

In the request body, supply a JSON representation of the parameters.

The following table shows the parameters that can be used with this action.

Parameter Type Description
allowedCombinations authenticationMethodModes collection The authentication method combinations allowed by this authentication strength policy. The possible values of this flagged enum are: password, voice, hardwareOath, softwareOath, sms, fido2, windowsHelloForBusiness, microsoftAuthenticatorPush, deviceBasedPush, temporaryAccessPassOneTime, temporaryAccessPassMultiUse, email, x509CertificateSingleFactor, x509CertificateMultiFactor, federatedSingleFactor, federatedMultiFactor, unknownFutureValue. For the list of allowed combinations, call the List authenticationMethodModes API. Required.


If successful, this action returns a 200 OK response code and a updateAllowedCombinationsResult in the response body.



The following is an example of a request.

Content-Type: application/json
Content-length: 51

  "allowedCombinations": [
      "password, voice"


The following is an example of the response

Note: The response object shown here might be shortened for readability.

HTTP/1.1 200 OK
Content-Type: application/json

  "@odata.type" : "#microsoft.graph.updateAllowedCombinationsResult",
  "previousCombinations": [
    "password, voice"
  "currentCombinations": [
    "password, voice"
  "conditionalAccessReferences": [
  "additionalInformation": "You have lowered the security of the My Custom Strength authentication strength by adding a lower security combination. This Authentication Strength is referenced by one or more Conditional Access policies. Review conditionalAccessReferences to understand which Conditional Access policies were impacted by this change. To reverse your changes back, use updateAllowedCombinations action with the previousCombinations values."