MutualTlsOauthConfiguration.ReadWrite.All

Permission Details

Application Permission

Read and write all configurations used for mutual-TLS client authentication.

Allows the app to read and update configuration used for OAuth 2.0 mutual-TLS client authentication, without a signed-in user. This includes reading and updating trusted certificate authorities.

Permission ID: 78bbf8cf-07d8-45ba-b0eb-1a7b48efbcf1

Delegated Permission

Read and write all configurations used for mutual-TLS client authentication.

Allows the app to read and update configuration used for OAuth 2.0 mutual-TLS client authentication, on behalf of the signed-in user. This includes adding and updating trusted certificate authorities.

Permission ID: a51115bc-f64f-498f-bcee-00dcd28f4a03

Properties

Microsoft Graph beta exact-category-docs

Properties is shown from beta metadata because a stable v1.0 schema is not available for this resource mapping.

Property	Type	Description
`certificateAuthorities`	`certificateAuthority collection`	Multi-value property that represents a list of trusted certificate authorities. Inherited from trustedCertificateAuthorityBase.
`deletedDateTime`	`DateTimeOffset`Nullable	Date and time when this object was deleted. Always null when the object hasn't been deleted. Inherited from trustedCertificateAuthorityBase.
`displayName`	`String`Nullable	Friendly name. Supports $filter (eq, in).
`id`	`String`	The unique identifier for the mutualTlsOauthConfiguration object. Inherited from trustedCertificateAuthorityBase. Supports $filter (eq, in).
`tlsClientAuthParameter`	`tlsClientRegistrationMetadata`	Specifies the field in the certificate that contains the subject ID. The possible values are: tlsclientauthsubjectdn, tlsclientauthsandns, tlsclientauthsanuri, tlsclientauthsanip, tlsclientauthsanemail, unknownFutureValue.

JSON Representation

Microsoft Graph beta exact-category-docs

JSON representation is shown from beta metadata because a stable v1.0 schema is not available for this resource mapping.

JSON representation

{
  "@odata.type": "#microsoft.graph.mutualTlsOauthConfiguration",
  "certificateAuthorities": [
    {
      "@odata.type": "microsoft.graph.certificateAuthority"
    }
  ],
  "deletedDateTime": "String (timestamp)",
  "displayName": "String",
  "id": "String (identifier)",
  "tlsClientAuthParameter": "String"
}

Relationships

Microsoft Graph beta schema-derived

Relationships is shown from beta metadata because a stable v1.0 schema is not available for this resource mapping.

Relationship	Type	Description
`certificateAuthorities`	`certificateAuthority collection`	Multi-value property that represents a list of trusted certificate authorities.
`tlsClientAuthParameter`	`tlsClientRegistrationMetadata`	Related tlsClientAuthParameter data exposed by this resource.

Graph Methods

Delegated access App-only access

Exact Microsoft Learn match

Microsoft Graph v1.0 endpoints are mapped directly from refreshed Microsoft Learn permissions tables.

No API methods available for this version.

Exact Microsoft Learn match

Microsoft Graph beta endpoints are mapped directly from refreshed Microsoft Learn permissions tables.

Methods
GET `/certificateAuthorities/mutualTlsOauthConfigurations`
POST `/directory/certificateAuthorities/mutualTlsOauthConfigurations`
PATCH `/directory/certificateAuthorities/mutualTlsOauthConfigurations/{mutualTlsOauthConfigurationId}`
DELETE `/directory/certificateAuthorities/mutualTlsOauthConfigurations/{mutualTlsOauthConfigurationId}`

Exact Microsoft Learn PowerShell match

Microsoft Graph PowerShell v1.0 commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.

No deterministic PowerShell command map is available for this permission.

Browse PowerShell docs

Exact Microsoft Learn PowerShell match

Microsoft Graph PowerShell beta commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.

Commands
`Get-MgBetaDirectoryCertificateAuthorityMutualTlOauthConfiguration` /certificateAuthorities/mutualTlsOauthConfigurations List mutualTlsOauthConfigurations
`New-MgBetaDirectoryCertificateAuthorityMutualTlOauthConfiguration` /directory/certificateAuthorities/mutualTlsOauthConfigurations Create mutualTlsOauthConfiguration
`Update-MgBetaDirectoryCertificateAuthorityMutualTlOauthConfiguration` /directory/certificateAuthorities/mutualTlsOauthConfigurations/{mutualTlsOauthConfigurationId} Update mutualTlsOauthConfiguration

Code Examples

C# / .NET SDK

Create mutualTlsOauthConfiguration

View official example on Microsoft Learn

// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Beta.Models;

var requestBody = new MutualTlsOauthConfiguration
{
	DisplayName = "DoorCamera_Model_X_TrustedCAs",
	TlsClientAuthParameter = TlsClientRegistrationMetadata.Tls_client_auth_san_uri,
	CertificateAuthorities = new List<CertificateAuthority>
	{
		new CertificateAuthority
		{
			OdataType = "microsoft.graph.certificateAuthority",
		},
	},
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Directory.CertificateAuthorities.MutualTlsOauthConfigurations.PostAsync(requestBody);

JavaScript

Create mutualTlsOauthConfiguration

View official example on Microsoft Learn

const options = {
	authProvider,
};

const client = Client.init(options);

const mutualTlsOauthConfiguration = {
  displayName: 'DoorCamera_Model_X_TrustedCAs',
  tlsClientAuthParameter: 'tls_client_auth_san_uri',
  certificateAuthorities: [
    {
      '@odata.type': 'microsoft.graph.certificateAuthority'
    }
  ]
};

await client.api('/directory/certificateAuthorities/mutualTlsOauthConfigurations')
	.version('beta')
	.post(mutualTlsOauthConfiguration);

PowerShell

Create mutualTlsOauthConfiguration

View official example on Microsoft Learn

Import-Module Microsoft.Graph.Beta.Identity.DirectoryManagement

$params = @{
	displayName = "DoorCamera_Model_X_TrustedCAs"
	tlsClientAuthParameter = "tls_client_auth_san_uri"
	certificateAuthorities = @(
		@{
			"@odata.type" = "microsoft.graph.certificateAuthority"
		}
	)
}

New-MgBetaDirectoryCertificateAuthorityMutualTlOauthConfiguration -BodyParameter $params

Python

Create mutualTlsOauthConfiguration

View official example on Microsoft Learn

# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.mutual_tls_oauth_configuration import MutualTlsOauthConfiguration
from msgraph_beta.generated.models.tls_client_registration_metadata import TlsClientRegistrationMetadata
from msgraph_beta.generated.models.certificate_authority import CertificateAuthority
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = MutualTlsOauthConfiguration(
	display_name = "DoorCamera_Model_X_TrustedCAs",
	tls_client_auth_parameter = TlsClientRegistrationMetadata.Tls_client_auth_san_uri,
	certificate_authorities = [
		CertificateAuthority(
			odata_type = "microsoft.graph.certificateAuthority",
		),
	],
)

result = await graph_client.directory.certificate_authorities.mutual_tls_oauth_configurations.post(request_body)

App Registration

1

Navigate to Azure Portal

Go to App registrations in Microsoft Entra admin center

2

Add API Permission

Select your app → API permissions → Add a permission → Microsoft Graph

3

Select Permission Type

Choose Application permissions or delegated permissions and search for MutualTlsOauthConfiguration.ReadWrite.All

4

Grant Admin Consent

Application permissions always require admin consent.