New permissions for Authentication Methods in Microsoft Graph API

25/10/2025
PermissionsEntra IDGraph APIAuthentication Methods

Permissions scoped to individual authentication methods

Microsoft has introduced new permissions for managing Authentication methods via the Microsoft Graph API.

When managing authentication methods, the admins must grant the permissions like:

  • UserAuthenticationMethod.Read
  • UserAuthenticationMethod.ReadWrite.All
  • UserAuthenticationMethod.ReadWrite
  • UserAuthenticationMethod.Read.All

On the first sight, these permissions may seem sufficient for managing authentication methods. However, they are widely scoped and may grant more access than necessary for specific tasks.

Imagine a scenario when the admin assigns the Authentication Administrator role to another user in the organization.

With the permissions mentioned above, the assigned user would theoretically have the ability to manage all authentication methods for all users in the organization.

This level of access may not be necessary for the assigned user's specific tasks and could potentially lead to security risks.

To adapt the principle of least privilege, Microsoft Graph now supports new delegated and application permissions scoped to individual authentication methods supported by Microsoft Entra ID.

Let's check the new permissions.

Permissions for email authentication methods

  • UserAuthMethod-Email.Read - delegated only, signed-in user only
  • UserAuthMethod-Email.Read.All - both delegated and application
  • UserAuthMethod-Email.ReadWrite.All - both delegated and application

With these permissions, you can call endpoints:

  • v1.0/me/authentication/emailMethods
  • v1.0/users/{user_id}/authentication/emailMethods

Permissions for external authentication methods

  • UserAuthMethod-External.Read - delegated only, signed-in user only
  • UserAuthMethod-External.Read.All - both delegated and application
  • UserAuthMethod-External.ReadWrite.All - both delegated and application

With these permissions, you can call endpoints:

  • beta/me/authentication/externalAuthenticationMethods
  • beta/users/{user_id}/authentication/externalAuthenticationMethods

Permissions for Hardware OATH authentication methods

  • UserAuthMethod-HardwareOATH.Read - delegated only, signed-in user only
  • UserAuthMethod-HardwareOATH.Read.All - both delegated and application
  • UserAuthMethod-HardwareOATH.ReadWrite - delegated only, signed-in user only
  • UserAuthMethod-HardwareOATH.ReadWrite.All - both delegated and application

With these permissions, you can call endpoints:

  • beta/me/authentication/hardwareOathMethods
  • beta/users/{user_id}/authentication/hardwareOathMethods

Permissions for Microsoft Authenticator authentication methods

  • UserAuthMethod-MicrosoftAuthApp.Read - delegated only, signed-in user only
  • UserAuthMethod-MicrosoftAuthApp.Read.All - both delegated and application
  • UserAuthMethod-MicrosoftAuthApp.ReadWrite - delegated only, signed-in user only
  • UserAuthMethod-MicrosoftAuthApp.ReadWrite.All - both delegated and application

With these permissions, you can call endpoints:

  • v1.0/me/authentication/microsoftAuthenticatorMethods
  • v1.0/users/{user_id}/authentication/microsoftAuthenticatorMethods

Permissions for FIDO2 authentication methods

  • UserAuthMethod-Passkey.Read - delegated only, signed-in user only
  • UserAuthMethod-Passkey.Read.All - both delegated and application
  • UserAuthMethod-Passkey.ReadWrite - delegated only, signed-in user only
  • UserAuthMethod-Passkey.ReadWrite.All - both delegated and application

With these permissions, you can call endpoints:

  • v1.0/me/authentication/fido2Methods
  • v1.0/users/{user_id}/authentication/fido2Methods

Permissions for Password authentication methods

  • UserAuthMethod-Password.Read - delegated only, signed-in user only
  • UserAuthMethod-Password.Read.All - both delegated and application
  • UserAuthMethod-Password.ReadWrite - delegated only, signed-in user only
  • UserAuthMethod-Password.ReadWrite.All - both delegated and application

With these permissions, you can call endpoints:

  • v1.0/me/authentication/passwordMethods
  • v1.0/users/{user_id}/authentication/passwordMethods

Permissions for Phone authentication methods

  • UserAuthMethod-Phone.Read - delegated only, signed-in user only
  • UserAuthMethod-Phone.Read.All - both delegated and application
  • UserAuthMethod-Phone.ReadWrite - delegated only, signed-in user only
  • UserAuthMethod-Phone.ReadWrite.All - both delegated and application

With these permissions, you can call endpoints:

  • v1.0/me/authentication/phoneMethods
  • v1.0/users/{user_id}/authentication/phoneMethods

Permissions for Platform Credential authentication methods

  • UserAuthMethod-PlatformCred.Read - delegated only, signed-in user only
  • UserAuthMethod-PlatformCred.Read.All - both delegated and application
  • UserAuthMethod-PlatformCred.ReadWrite - delegated only, signed-in user only
  • UserAuthMethod-PlatformCred.ReadWrite.All - both delegated and application

With these permissions, you can call endpoints:

  • v1.0/me/authentication/platformCredentialMethods
  • v1.0/users/{user_id}/authentication/platformCredentialMethods

Permissions for QR Code authentication methods

  • UserAuthMethod-QR.Read - delegated only, signed-in user only
  • UserAuthMethod-QR.Read.All - both delegated and application
  • UserAuthMethod-QR.ReadWrite - delegated only, signed-in user only
  • UserAuthMethod-QR.ReadWrite.All - both delegated and application

With these permissions, you can call endpoints:

  • beta/me/authentication/qrCodePinMethod
  • beta/users/{user_id}/authentication/qrCodePinMethod

Permissions for Software OATH authentication methods

  • UserAuthMethod-SoftwareOATH.Read - delegated only, signed-in user only
  • UserAuthMethod-SoftwareOATH.Read.All - both delegated and application
  • UserAuthMethod-SoftwareOATH.ReadWrite - delegated only, signed-in user only
  • UserAuthMethod-SoftwareOATH.ReadWrite.All - both delegated and application

With these permissions, you can call endpoints:

  • v1.0/me/authentication/softwareOathMethods
  • v1.0/users/{user_id}/authentication/softwareOathMethods

Permissions for Temporary Access Pass authentication methods

  • UserAuthMethod-TAP.Read - delegated only, signed-in user only
  • UserAuthMethod-TAP.Read.All - both delegated and application
  • UserAuthMethod-TAP.ReadWrite - delegated only, signed-in user only
  • UserAuthMethod-TAP.ReadWrite.All - both delegated and application

With these permissions, you can call endpoints:

  • v1.0/me/authentication/temporaryAccessPassMethods
  • v1.0/users/{user_id}/authentication/temporaryAccessPassMethods

Permissions for Window Hello authentication methods

  • UserAuthMethod-WindowsHello.Read - delegated only, signed-in user only
  • UserAuthMethod-WindowsHello.Read.All - both delegated and application
  • UserAuthMethod-WindowsHello.ReadWrite - delegated only, signed-in user only
  • UserAuthMethod-WindowsHello.ReadWrite.All - both delegated and application

With these permissions, you can call endpoints:

  • v1.0/me/authentication/windowsHelloForBusinessMethods
  • v1.0/users/{user_id}/authentication/windowsHelloForBusinessMethods

Example

Let's try how it works in practice.

I will create a new Entra app registration and grant the following delegated permissions:

  • UserAuthMethod-Email.Read - To read the signed-in user's email authentication methods
  • UserAuthMethod-MicrosoftAuthApp.Read.All - To read all users' Microsoft authentication methods
  • UserAuthMethod-Phone.ReadWrite.All - Read and write all users' phone methods.

The PowerShell script below will try to read all authentication methods, email methods, Microsoft Authenticator methods, and phone methods for the signed-in user and another user in the organization.

$clientId = '<client_id>'
$tenantId = '<tenant_id>'

Connect-MgGraph -ClientId $clientId -TenantId $tenantId

Import-Module Microsoft.Graph.Identity.SignIns

$meId = '<me_id>'
$userId = '<user_id>'

Get-MgUserAuthenticationMethod -UserId $meId
Get-MgUserAuthenticationMethod -UserId $userId

Get-MgUserAuthenticationEmailMethod -UserId $meId
Get-MgUserAuthenticationEmailMethod -UserId $userId

Get-MgUserAuthenticationMicrosoftAuthenticatorMethod -UserId $meId
Get-MgUserAuthenticationMicrosoftAuthenticatorMethod -UserId $userId

Get-MgUserAuthenticationPhoneMethod -UserId $meId
Get-MgUserAuthenticationPhoneMethod -UserId $userId

# disconnect
Disconnect-MgGraph

The Get-MgUserAuthenticationMethod will fail for both users because it requires at least the UserAuthenticationMethod.Read permission, which we did not grant.

The Get-MgUserAuthenticationEmailMethod will succeed for the signed-in user but fail for the other user because we only have the UserAuthMethod-Email.Read permission, which is scoped to the signed-in user.

The Get-MgUserAuthenticationMicrosoftAuthenticatorMethod will succeed for the other user because we have the UserAuthMethod-MicrosoftAuthApp.Read.All permission, which allows reading Microsoft Authenticator methods for all users.

The Get-MgUserAuthenticationPhoneMethod will succeed for both users because we have the UserAuthMethod-Phone.ReadWrite.All permission, which allows reading and writing phone methods for all users.

Conclusion

The introduction of these new permissions allows for more granular control over authentication methods in Microsoft Graph API.

The old permissions are still available, but it's recommended to use the new scoped permissions to enhance security and adhere to the principle of least privilege.

0
Buy Me a Coffee at ko-fi.com
An error has occurred. This application may no longer respond until reloaded. Reload x