Page contents
Supported attributes by policy
Email OTP
| Attribute | Description | Backed up | Restorable |
| allowExternalIdToUseEmailOtp | Determines whether email OTP is usable by external users for authentication. | Yes | Yes |
| excludeTargets | Groups of users that are excluded from the policy. | Yes | Yes |
| id | The authentication method policy identifier. Inherited from authenticationMethodConfiguration. | Yes | No |
| state | Indicates whether this authentication method is enabled or not. | Yes | Yes |
X.509
| Attribute | Description | Backed up | Restorable |
| id | The authentication method policy identifier. Inherited from authenticationMethodConfiguration. | Yes | No |
| state | Indicates whether this authentication method is enabled or not. | Yes | Yes |
| authenticationModeConfiguration | Defines strong authentication configurations, including the default authentication mode and the different rules for strong authentication bindings. | Yes | Yes |
| certificateUserBindings | Defines fields in the X.509 certificate that map to attributes of the Entra user object in order to bind the certificate to the user. | Yes | Yes |
| crlValidationConfiguration | Determines whether certificate-based authentication should fail if the issuing CA doesn't have a valid certificate revocation list configured. | Yes | Yes |
| excludeTargets | Groups of users that are excluded from the policy. | Yes | Yes |
FIDO2
| Attribute | Description | Backed up | Restorable |
| id | The authentication method policy identifier. Inherited from authenticationMethodConfiguration. | Yes | No |
| state | Indicates whether this authentication method is enabled or not. | Yes | Yes |
| isAttestationEnforced | Determines whether attestation must be enforced for FIDO2 security key registration. | Yes | Yes |
| isSelfServiceRegistrationAllowed | Determines if users can register new FIDO2 security keys. | Yes | Yes |
| keyRestrictions | Controls whether key restrictions are enforced on FIDO2 security keys, either allowing or disallowing certain key types as defined by Authenticator Attestation GUID (AAGUID), an identifier that indicates the type (e.g. make and model) of the authenticator. | Yes | Yes |
| keyRestrictions>isEnforced | Determines if the configured key enforcement is enabled. | Yes | Yes |
| enforcementType>enforcementType | Enforcement type. Possible values are: allow, block. | Yes | Yes |
| keyRestrictions>aaGuids | A collection of Authenticator Attestation GUIDs. AADGUIDs define key types and manufacturers | Yes | Yes |
| excludeTargets | Groups of users that are excluded from the policy. | Yes | Yes |
Microsoft Authenticator
| Attribute | Description | Backed up | Restorable |
| id | The authentication method policy identifier. Inherited from authenticationMethodConfiguration. | Yes | No |
| state | Indicates whether this authentication method is enabled or not. Possible values are: enabled, disabled. | Yes | Yes |
| isSoftwareOathEnabled | true if users can use the OTP code generated by the Microsoft Authenticator app, false otherwise. | Yes | Yes |
| featureSettings | A collection of Microsoft Authenticator settings such as number matching and location context, and whether they are enabled for all users or specific users only. | Yes | Yes |
| featureSettings> companionAppAllowedState | Determines whether users are able to approve push notifications on other Microsoft applications such as Outlook Mobile. | Yes | Yes |
| featureSettings> displayAppInformationRequiredState | Determines whether the user's Authenticator app shows them the client app they're signing into. | Yes | Yes |
| featureSettings> displayLocationInformationRequiredState | Determines whether the user's Authenticator app shows them the geographic location of where the authentication request originated from. | Yes | Yes |
| featureSettings> numberMatchingRequiredState | Specifies whether the user needs to enter a number in the Authenticator app from the login screen to complete their login. Value is ignored for phone sign-in notifications. | Yes | No |
| excludeTargets | Groups of users that are excluded from the policy. | Yes | Yes |
SMS authentication
| Attribute | Description | Backed up | Restorable |
| id | The authentication method policy identifier. Inherited from authenticationMethodConfiguration. | Yes | No |
| state | Indicates whether this authentication method is enabled or not. | Yes | Yes |
| excludeTargets | Groups of users that are excluded from the policy. | Yes | Yes |
Temporary Access Pass
| Attribute | Description | Backed up | Restorable |
| id | The authentication method policy identifier. Inherited from authenticationMethodConfiguration. | Yes | No |
| state | Indicates whether this authentication method is enabled or not. | Yes | Yes |
| defaultLength | Default length in characters of a Temporary Access Pass object. | Yes | Yes |
| defaultLifetimeInMinutes | Default lifetime in minutes for a Temporary Access Pass. | Yes | Yes |
| isUsableOnce | If true, all the passes in the tenant will be restricted to one-time use. If false, passes in the tenant can be created to be either one-time use or reusable. | Yes | Yes |
| minimumLifetimeInMinutes | Minimum lifetime in minutes for any Temporary Access Pass created in the tenant. | Yes | Yes |
| maximumLifetimeInMinutes | Maximum lifetime in minutes for any Temporary Access Pass created in the tenant. | Yes | Yes |
| excludeTargets | Groups of users that are excluded from the policy. | Yes | Yes |
Voice authentication
| Attribute | Description | Backed up | Restorable |
| id | The authentication method policy identifier. Inherited from authenticationMethodConfiguration. | Yes | No |
| state | Indicates whether this authentication method is enabled or not. | Yes | Yes |
| isOfficePhoneAllowed | true if users can register office phones, otherwise, false. | Yes | Yes |
| excludeTargets | Groups of users that are excluded from the policy. | Yes | Yes |
Software OATH
| Attribute | Description | Backed up | Restorable |
| id | The authentication method policy identifier. Inherited from authenticationMethodConfiguration. | Yes | No |
| state | Indicates whether this authentication method is enabled or not. | Yes | Yes |
| excludeTargets | Groups of users that are excluded from the policy. | Yes | Yes |
Hardware OATH
Note: hardwareOathTokenAuthenticationMethodDevice is not supported as an authentication method policy.
| Attribute | Description | Backed up | Restorable |
| id | The authentication method policy identifier. Inherited from authenticationMethodConfiguration. | Yes | No |
| state | Indicates whether this authentication method is enabled or not. | Yes | Yes |
| excludeTargets | Groups of users that are excluded from the policy. | Yes | Yes |
External authentication method
| Attribute | Description | Backed up | Restorable |
| id | The authentication method policy identifier. Inherited from authenticationMethodConfiguration. | Yes | No |
| state | Indicates whether this authentication method is enabled or not. | Yes | Yes |
| appId | appId for the app registration in Entra ID representing the integration with the external provider. | Yes | Yes |
| displayName | Display name for the external authentication method. | Yes | Yes |
| openIdConnectSetting | OpenID Connect settings used by this external authentication method. | Yes | Yes |
| excludeTargets | Groups of users that are excluded from the policy. | Yes | Yes |
Supported relationships
IncludeTargets
AssignTo
Note:
- Due to API limitations, we do not back up or restore actual passwords, hints, certificates or credentials. After restoring, you will need to create the passwords, certificates and client secrets manually.
- Read about the limitations of Entra ID object recovery in Article 1554.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article