conditionalAccessGrantControls resource type

Namespace: microsoft.graph


APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.

Represents grant controls that must be fulfilled to pass the policy.


Property Type Description
operator String Defines the relationship of the grant controls. Possible values: AND, OR.
builtInControls conditionalAccessGrantControl collection List of values of built-in controls required by the policy. Possible values: block, mfa, compliantDevice, domainJoinedDevice, approvedApplication, compliantApplication, passwordChange, unknownFutureValue.
customAuthenticationFactors String collection List of custom controls IDs required by the policy. To learn more about custom control, see Custom controls (preview).
termsOfUse String collection List of terms of use IDs required by the policy.

Special considerations when using passwordChange as a control

Consider the following when you use the passwordChange control:

  • passwordChange must be accompanied by mfa using an AND operator. This combination ensures that the password will be updated in a secure way.
  • passwordChange must be used in a policy containing userRiskLevels. This is designed to enable scenarios where users must use a secure change password to reset their user risk.
  • The policy should target all applications, and not exclude any applications.
  • The policy cannot contain any other condition.



JSON representation

The following is a JSON representation of the resource.

  "builtInControls": ["String"],
  "customAuthenticationFactors": ["String"],
  "operator": "String",
  "termsOfUse": ["String"]