conditionalAccessGrantControls resource type

Namespace: microsoft.graph

Represents grant controls that must be fulfilled to pass the policy.


Property Type Description
builtInControls conditionalAccessGrantControl collection List of values of built-in controls required by the policy. Possible values: block, mfa, compliantDevice, domainJoinedDevice, approvedApplication, compliantApplication, passwordChange, unknownFutureValue.
customAuthenticationFactors String collection List of custom controls IDs required by the policy. For more information, see Custom controls.
operator String Defines the relationship of the grant controls. Possible values: AND, OR.
termsOfUse String collection List of terms of use IDs required by the policy.

Special considerations when using passwordChange as a control

Consider the following when you use the passwordChange control:

  • passwordChange must be accompanied by mfa using an AND operator. This combination ensures that the password will be updated in a secure way.
  • passwordChange must be used in a policy containing userRiskLevels. This is designed to enable scenarios where users must use a secure change password to reset their user risk.
  • The policy should target all applications, and not exclude any applications.
  • The policy cannot contain any other condition except users, applications and userRiskLevels.


Relationship Type Description
authenticationStrength authenticationStrengthPolicy The authentication strength required by the conditional access policy. Optional.

JSON representation

The following is a JSON representation of the resource.

  "builtInControls": ["String"],
  "customAuthenticationFactors": ["String"],
  "operator": "String",
  "termsOfUse": ["String"],
  "authenticationStrength": {"@odata.type": "microsoft.graph.authenticationStrengthPolicy"}