conditionalAccessGrantControls resource type

Namespace: microsoft.graph

Represents grant controls that must be fulfilled to pass the policy.

Properties

Property	Type	Description
builtInControls	conditionalAccessGrantControl collection	List of values of built-in controls required by the policy. Possible values: block, mfa, compliantDevice, domainJoinedDevice, approvedApplication, compliantApplication, passwordChange, unknownFutureValue.
customAuthenticationFactors	String collection	List of custom controls IDs required by the policy. For more information, see Custom controls.
operator	String	Defines the relationship of the grant controls. Possible values: AND, OR.
termsOfUse	String collection	List of terms of use IDs required by the policy.

Special considerations when using passwordChange as a control

Consider the following when you use the passwordChange control:

• passwordChange must be accompanied by mfa using an AND operator. This combination ensures that the password will be updated in a secure way.
• passwordChange must be used in a policy containing userRiskLevels. This is designed to enable scenarios where users must use a secure change password to reset their user risk.
• The policy should target all applications, and not exclude any applications.
• The policy cannot contain any other condition except users, applications and userRiskLevels.

Relationships

Relationship	Type	Description
authenticationStrength	authenticationStrengthPolicy	The authentication strength required by the conditional access policy. Optional.

JSON representation

The following is a JSON representation of the resource.

{
  "builtInControls": ["String"],
  "customAuthenticationFactors": ["String"],
  "operator": "String",
  "termsOfUse": ["String"],
  "authenticationStrength": {"@odata.type": "microsoft.graph.authenticationStrengthPolicy"}
}