This article lists the attributes that are protected as part of Conditional Access policies in Entra ID. For supported attributes related to other objects, see "What is supported?" in Article 1554.
Page contents
- Conditional Access policies
- Authentication strengths
- Country named locations
- IP named locations
- Compliant network named locations
- Authentication contexts
Please take note of the following limitations with regard to recovery:
- Whenever you recover Entra ID objects in the RedApp, you may be asked to re-authenticate with Microsoft.
- With regard to relationships, we backup and recover only the supported relationships listed here.
Supported attributes: Conditional Access policies
| Attribute | Description | Backed up | Restorable |
| id | Specifies the identifier of the object. Read-only. | Yes | No |
| description | Description of the object. Not used. | No | No |
| displayName | Specifies a display name for the object. | Yes | Yes |
| createdDateTime | The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. Read-only. | Yes | Yes |
| modifiedDateTime | The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. Read-only. | Yes | Yes |
| state | Specifies the state of the object. Required | Yes | Yes |
| Conditions | Specifies the rules that must be met for the policy to apply. Required. | Yes | Yes |
| grantControls | Specifies the grant controls that must be fulfilled to pass the policy. | Yes | Yes |
| sessionControls | Specifies the session controls that must be fulfilled to pass the policy. | Yes | Yes |
Supported relationships
grantControls - authentication strengths
Supported attributes: authentication strengths
Note: Built-in authentication strengths are not supported because they are immutable (i.e. they cannot be created, changed or deleted) and have no relationships to other objects. Only custom authentication strengths are backed up.
| Attribute | Description | Backed up | Restorable |
| allowedCombinations | A collection of authentication method modes that are required be used to satisfy this authentication strength. | Yes | Yes |
| createdDateTime | The datetime when this policy was created | Yes | Yes |
| description | The human-readable description of this policy. | Yes | Yes |
| displayName | The human-readable display name of this policy. | Yes | Yes |
| id | The system-generated identifier for this mode. Inherited from entity. | Yes | No |
| modifiedDateTime | The datetime when this policy was last modified. | Yes | Yes |
| policyType | A descriptor of whether this policy is built into Microsoft Entra Conditional Access or created by an admin for the tenant. | Yes | No |
| requirementsSatisfied | A descriptor of whether this authentication strength grants the MFA claim upon successful satisfaction. | Yes | No |
Supported relationships
combinationConfigurations
Supported attributes: country named locations
| Attribute | Description | Backed up | Restorable |
| countriesAndRegions | List of countries and/or regions in two-letter format specified by ISO 3166-2. | Yes | Yes |
| countryLookupMethod | Determines what method is used to decide which country the user is located in. | Yes | Yes |
| createdDateTime | The Timestamp type represents creation date and time of the location using ISO 8601 format and is always in UTC time. Read-only. Inherited from namedLocation. | Yes | No |
| displayName | Human-readable name of the location. Required. Inherited from namedLocation. | Yes | Yes |
| id | Identifier of a namedLocation object. Read-only. Inherited from namedLocation. | Yes | No |
| includeUnknownCountriesAndRegions | True if IP addresses that don't map to a country or region should be included in the named location. Optional. | Yes | Yes |
| modifiedDateTime | The Timestamp type represents last modified date and time of the location using ISO 8601 format and is always in UTC time. Read-only. Inherited from namedLocation. | Yes | No |
Supported attributes: IP named locations
| Attribute | Description | Backed up | Restorable |
| createdDateTime | The Timestamp type represents creation date and time of the location using ISO 8601 format and is always in UTC time. Read-only. Inherited from namedLocation. | Yes | No |
| displayName | Human-readable name of the location. Required. | Yes | Yes |
| id | Identifier of a namedLocation object. Read-only. Inherited from namedLocation. | Yes | No |
| ipRanges | List of IP address ranges in IPv4 CIDR format (for example, 1.2.3.4/32) or any allowable IPv6 format from IETF RFC5969. Required. | Yes | Yes |
| isTrusted | true if this location is explicitly trusted. Optional. | Yes | Yes |
| modifiedDateTime | The Timestamp type represents last modified date and time of the location using ISO 8601 format and is always in UTC time. Read-only. Inherited from namedLocation. | Yes | No |
Supported attributes: compliant network named locations
| Attribute | Description | Backed up | Restorable |
| compliantNetworkType | Type of compliant network. Currently the only possible value is allTenantCompliantNetworks. | Yes | Yes |
| createdDateTime | The timestamp type represents creation date and time of the location using ISO 8601 format and is always in UTC time. Read-only. Inherited from namedLocation. | Yes | No |
| displayName | Human-readable name of the location. Required. Always "All Compliant Network Locations". Inherited from namedLocation. | Yes | Yes |
| id | Identifier of the object. Read-only. Inherited from entity | Yes | No |
| isTrusted | True if this location is explicitly trusted. Optional. Default value is false. | Yes | Yes |
| modifiedDateTime | The timestamp type represents last modified date and time of the location using ISO 8601 format and is always in UTC time. Read-only. Inherited from namedLocation. | Yes | Yes |
Supported attributes: authentication contexts
| Attribute | Description | Backed up | Restorable |
| id | Identifier used to reference the authentication context class. | Yes | No |
| displayName | A friendly name that identifies the authenticationContextClassReference object when building user-facing admin experiences. | Yes | Yes |
| Description | A short explanation of the policies that are enforced by authenticationContextClassReference. | Yes | Yes |
| isAvailable | Indicates whether the authenticationContextClassReference has been published by the security admin and is ready for use by apps. | Yes | Yes |
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article