authenticationBehaviors resource type
Namespace: microsoft.graph
Important
APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.
Describes the authentication behaviors set in the context of an application. Authentication behaviors are Boolean flags that provide applications flexibility in adopting breaking-change behaviors related to token issuance. These updated token issuance behaviors can be related to security mitigations, security improvements, or feature deprecations.
Applications can adopt new breaking changes by enabling a behavior (set the behavior to true), or continue using preexisting behavior by disabling it (by setting the behavior to false). For more information about managing authentication behaviors, see Manage application authenticationBehaviors.
Properties
| Property | Type | Description |
|---|---|---|
| blockAzureADGraphAccess | Boolean | If false, allows the app to have extended access to Azure AD Graph until June 30, 2025 when Azure AD Graph is fully retired. For more information on Azure AD retirement updates, see June 2024 update on Azure AD Graph API retirement. |
| removeUnverifiedEmailClaim | Boolean | If true, removes the email claim from tokens sent to an application when the email address's domain can't be verified. |
| requireClientServicePrincipal | Boolean | If true, requires multitenant applications to have a service principal in the resource tenant as part of authorization checks before they're granted access tokens. This property is only modifiable for multitenant resource applications that rely on access from clients without a service principal and had this behavior as set to false by Microsoft. Tenant administrators should respond to security advisories sent through Azure Health Service events and the Microsoft 365 message center. |
Relationships
None.
JSON representation
The following JSON representation shows the resource type.
{
"@odata.type": "#microsoft.graph.authenticationBehaviors",
"blockAzureADGraphAccess": "Boolean",
"removeUnverifiedEmailClaim": "Boolean",
"requireClientServicePrincipal": "Boolean"
}