Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions only if your app requires it. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.
Permission type
Least privileged permissions
Higher privileged permissions
Delegated (work or school account)
Policy.ReadWrite.ConditionalAccess
Policy.ReadWrite.AuthenticationMethod
Delegated (personal Microsoft account)
Not supported.
Not supported.
Application
Policy.ReadWrite.ConditionalAccess
Policy.ReadWrite.AuthenticationMethod
For delegated scenarios, the calling user must also be assigned at least the Conditional Access Administrator or Security AdministratorMicrosoft Entra role.
HTTP request
POST /policies/authenticationStrengthPolicies/{authenticationStrengthPolicyId}/updateAllowedCombinations
In the request body, supply a JSON representation of the parameters.
The following table shows the parameters that can be used with this action.
Parameter
Type
Description
allowedCombinations
authenticationMethodModes collection
The authentication method combinations allowed by this authentication strength policy. The possible values of this flagged enum are: password, voice, hardwareOath, softwareOath, sms, fido2, windowsHelloForBusiness, microsoftAuthenticatorPush, deviceBasedPush, temporaryAccessPassOneTime, temporaryAccessPassMultiUse, email, x509CertificateSingleFactor, x509CertificateMultiFactor, federatedSingleFactor, federatedMultiFactor, unknownFutureValue. For the list of allowed combinations, call the List authenticationMethodModes API. Required.
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Policies.AuthenticationStrengthPolicies.Item.UpdateAllowedCombinations;
using Microsoft.Graph.Models;
var requestBody = new UpdateAllowedCombinationsPostRequestBody
{
AllowedCombinations = new List<AuthenticationMethodModes?>
{
AuthenticationMethodModes.Password | AuthenticationMethodModes.Voice,
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Policies.AuthenticationStrengthPolicies["{authenticationStrengthPolicy-id}"].UpdateAllowedCombinations.PostAsync(requestBody);
// THE CLI IS IN PREVIEW. NON-PRODUCTION USE ONLY
mgc policies authentication-strength-policies update-allowed-combinations post --authentication-strength-policy-id {authenticationStrengthPolicy-id} --body '{\
"allowedCombinations": [\
"password, voice"\
]\
}\
'
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
com.microsoft.graph.policies.authenticationstrengthpolicies.item.updateallowedcombinations.UpdateAllowedCombinationsPostRequestBody updateAllowedCombinationsPostRequestBody = new com.microsoft.graph.policies.authenticationstrengthpolicies.item.updateallowedcombinations.UpdateAllowedCombinationsPostRequestBody();
LinkedList<AuthenticationMethodModes> allowedCombinations = new LinkedList<AuthenticationMethodModes>();
allowedCombinations.add(AuthenticationMethodModes.Password);
allowedCombinations.add(AuthenticationMethodModes.Voice);
updateAllowedCombinationsPostRequestBody.setAllowedCombinations(allowedCombinations);
var result = graphClient.policies().authenticationStrengthPolicies().byAuthenticationStrengthPolicyId("{authenticationStrengthPolicy-id}").updateAllowedCombinations().post(updateAllowedCombinationsPostRequestBody);
<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\UpdateAllowedCombinationsPostRequestBody;
use Microsoft\Graph\Generated\Models\AuthenticationMethodModes;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new UpdateAllowedCombinationsPostRequestBody();
$requestBody->setAllowedCombinations([new AuthenticationMethodModes('password, voice'), ]);
$result = $graphServiceClient->policies()->authenticationStrengthPolicies()->byAuthenticationStrengthPolicyId('authenticationStrengthPolicy-id')->updateAllowedCombinations()->post($requestBody)->wait();
Note: The response object shown here might be shortened for readability.
HTTP/1.1 200 OK
Content-Type: application/json
{
"@odata.type" : "#microsoft.graph.updateAllowedCombinationsResult",
"previousCombinations": [
"fido2",
"password, voice"
],
"currentCombinations": [
"password, voice"
],
"conditionalAccessReferences": [
"53a3968a-ae2c-4b82-a313-091d10c52bfa"
],
"additionalInformation": "You have lowered the security of the My Custom Strength authentication strength by adding a lower security combination. This Authentication Strength is referenced by one or more Conditional Access policies. Review conditionalAccessReferences to understand which Conditional Access policies were impacted by this change. To reverse your changes back, use updateAllowedCombinations action with the previousCombinations values."
}
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.