conditionalAccessGrantControls resource type

Namespace: microsoft.graph

Represents grant controls that must be fulfilled to pass the policy.


Property Type Description
builtInControls conditionalAccessGrantControl collection List of values of built-in controls required by the policy. Possible values: block, mfa, compliantDevice, domainJoinedDevice, approvedApplication, compliantApplication, passwordChange, unknownFutureValue.
customAuthenticationFactors String collection List of custom controls IDs required by the policy. For more information, see Custom controls.
operator String Defines the relationship of the grant controls. Possible values: AND, OR.
termsOfUse String collection List of terms of use IDs required by the policy.

Special considerations when using passwordChange as a control

Consider the following when you use the passwordChange control:

  • passwordChange must be accompanied by mfa using an AND operator. This combination ensures that the password will be updated in a secure way.
  • passwordChange must be used in a policy containing userRiskLevels. This is designed to enable scenarios where users must use a secure change password to reset their user risk.
  • The policy should target all applications, and not exclude any applications.
  • The policy cannot contain any other condition except users, applications and userRiskLevels.



JSON representation

The following is a JSON representation of the resource.

  "builtInControls": ["String"],
  "customAuthenticationFactors": ["String"],
  "operator": "String",
  "termsOfUse": ["String"]