Create authenticationStrengthPolicy

Namespace: microsoft.graph


APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.

Create a new custom authenticationStrengthPolicy object.


One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Permissions.

Permission type Permissions (from least to most privileged)
Delegated (work or school account) Policy.ReadWrite.ConditionalAccess, Policy.ReadWrite.AuthenticationMethod
Delegated (personal Microsoft account) Not supported.
Application Policy.ReadWrite.ConditionalAccess, Policy.ReadWrite.AuthenticationMethod

For delegated scenarios, the calling user must also be assigned the Conditional Access Administrator or Security Administrator Azure AD role.

HTTP request

POST /policies/authenticationStrengthPolicies

Request headers

Name Description
Authorization Bearer {token}. Required.
Content-Type application/json. Required.

Request body

In the request body, supply a JSON representation of the authenticationStrengthPolicy object.

You can specify the following properties when creating an authenticationStrengthPolicy.

Property Type Description
displayName String The display name of the policy to be created. Required.
description String The description of the policy to be created. Optional.
allowedCombinations authenticationMethodModes collection The authentication method combinations allowed by this authentication strength policy. The possible values of this flagged enum are: password, voice, hardwareOath, softwareOath, sms, fido2, windowsHelloForBusiness, microsoftAuthenticatorPush, deviceBasedPush, temporaryAccessPassOneTime, temporaryAccessPassMultiUse, email, x509CertificateSingleFactor, x509CertificateMultiFactor, federatedSingleFactor, federatedMultiFactor, unknownFutureValue. For the list of allowed combinations, call the List authenticationMethodModes API. Required.


If successful, this method returns a 201 Created response code and an authenticationStrengthPolicy object in the response body.



The following is an example of a request.

Content-Type: application/json
Content-length: 239

  "@odata.type" : "#microsoft.graph.authenticationStrengthPolicy",
  "displayName": "Contoso authentication level",
  "description": "The only authentication level allowed to access our secret apps",
  "allowedCombinations": [
      "password, hardwareOath",
      "password, sms"


The following is an example of the response

Note: The response object shown here might be shortened for readability.

HTTP/1.1 201 Created
Content-Type: application/json

  "@odata.type" : "authenticationStrengthPolicy",
  "id": "dd055c42-4218-4281-8631-f090e171f5cd",
  "createdDateTime": "2022-09-30T10:59:01Z",
  "modifiedDateTime": "2022-09-30T10:59:01Z",
  "displayName": "Contoso authentication level",
  "description": "The only authentication level allowed to access our secret apps",
  "policyType": "custom",
  "requirementsSatisfied": "mfa",
  "allowedCombinations": [
      "password, hardwareOath",
      "password, sms"
  "combinationConfigurations": []