conditionalAccessGrantControls resource type
Namespace: microsoft.graph
Represents grant controls that must be fulfilled to pass the policy.
Properties
| Property | Type | Description |
|---|---|---|
| builtInControls | conditionalAccessGrantControl collection | List of values of built-in controls required by the policy. Possible values: block, mfa, compliantDevice, domainJoinedDevice, approvedApplication, compliantApplication, passwordChange, unknownFutureValue. |
| customAuthenticationFactors | String collection | List of custom controls IDs required by the policy. For more information, see Custom controls. |
| operator | String | Defines the relationship of the grant controls. Possible values: AND, OR. |
| termsOfUse | String collection | List of terms of use IDs required by the policy. |
Special considerations when using passwordChange as a control
Consider the following when you use the passwordChange control:
passwordChangemust be accompanied bymfausing anANDoperator. This combination ensures that the password will be updated in a secure way.passwordChangemust be used in a policy containinguserRiskLevels. This is designed to enable scenarios where users must use a secure change password to reset their user risk.- The policy should target
allapplications, and not exclude any applications. - The policy cannot contain any other condition except
users,applicationsanduserRiskLevels.
Relationships
| Relationship | Type | Description |
|---|---|---|
| authenticationStrength | authenticationStrengthPolicy | The authentication strength required by the conditional access policy. Optional. |
JSON representation
The following JSON representation shows the resource type.
{
"builtInControls": ["String"],
"customAuthenticationFactors": ["String"],
"operator": "String",
"termsOfUse": ["String"],
"authenticationStrength": {"@odata.type": "microsoft.graph.authenticationStrengthPolicy"}
}