Update x509CertificateAuthenticationMethodConfiguration

Namespace: microsoft.graph

Update the properties of the X.509 certificate authentication method.

This API is supported in the following national cloud deployments.

Global service US Government L4 US Government L5 (DOD) China operated by 21Vianet


One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Permissions.

Permission type Permissions (from least to most privileged)
Delegated (work or school account) Policy.ReadWrite.AuthenticationMethod
Delegated (personal Microsoft account) Not supported.
Application Not supported.

For delegated scenarios, the administrator needs at least the Authentication Policy Administrator Azure AD role.

HTTP request

PATCH /policies/authenticationMethodsPolicy/authenticationMethodConfigurations/x509Certificate

Request headers

Name Description
Authorization Bearer {token}. Required.
Content-Type application/json. Required.

Request body

The following properties can be updated.

Property Type Description
state authenticationMethodState The possible values are: enabled, disabled. Inherited from authenticationMethodConfiguration.
certificateUserBindings x509CertificateUserBinding collection Defines fields in the X.509 certificate that map to attributes of the Azure AD user object in order to bind the certificate to the user. The priority of the object determines the order in which the binding is carried out. The first binding that matches will be used and the rest ignored.
authenticationModeConfiguration x509CertificateAuthenticationModeConfiguration Defines strong authentication configurations. This configuration includes the default authentication mode and the different rules for strong authentication bindings.

Note: The @odata.type property with a value of #microsoft.graph.x509CertificateAuthenticationMethodConfiguration must be included in the body.


If successful, this method returns a 204 No Content response code. It does not return anything in the response body.



The following is an example of an update request with the following settings:

  • Enables the x509 certificate authentication method in the tenant.
  • Configures only one user binding between the certificate PrincipalName and the Azure AD onPremisesUserPrincipalName properties.
  • Defines multi-factor authentication as requirement.
  • Configures the binding rules for the strong authentication method against the rule type.
PATCH https://graph.microsoft.com/v1.0/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/x509Certificate
Content-Type: application/json

    "@odata.type": "#microsoft.graph.x509CertificateAuthenticationMethodConfiguration",
    "id": "X509Certificate",
    "state": "enabled",
    "certificateUserBindings": [
            "x509CertificateField": "PrincipalName",
            "userProperty": "onPremisesUserPrincipalName",
            "priority": 1
    "authenticationModeConfiguration": {
        "x509CertificateAuthenticationDefaultMode": "x509CertificateMultiFactor",
        "rules": [
                "x509CertificateRuleType": "issuerSubject",
                "identifier": "CN=ContosoCA,DC=Contoso,DC=org ",
                "x509CertificateAuthenticationMode": "x509CertificateMultiFactor"
                "x509CertificateRuleType": "policyOID",
                "identifier": "",
                "x509CertificateAuthenticationMode": "x509CertificateMultiFactor"
    "includeTargets": [
            "targetType": "group",
            "id": "all_users",
            "isRegistrationRequired": false


HTTP/1.1 204 No Content