ESC
Type to search...
Navigate Open ESC Close

UserAuthMethod-External.ReadWrite

Export JSON
Export CSV
Copy URL
Print
Delegated Read/Write User Scope

Allows the app to read and write the signed-in user's external authentication methods. This does not allow the app to see secret information like passwords, or to sign-in or otherwise use the authentication methods.

Permission data: April 6, 2026 at 4:06 AM UTC
Delegated Access App-Only Access

Permission Details

Delegated Permission Admin consent required

Read and write the signed-in user's external authentication methods

Allows the app to read and write the signed-in user's external authentication methods. This does not allow the app to see secret information like passwords, or to sign-in or otherwise use the authentication methods.

User sees: Allows the app to read and write your external authentication methods. This does not allow the app to see secret information like passwords, or to sign-in or otherwise use the authentication methods.
Permission ID: 28c2e8f9-828a-4691-a090-f2f0b7fc07b3

Properties

Microsoft Graph v1.0 endpoint-derived-docs

Properties is shown from stable Microsoft Graph v1.0 metadata.

Property Type Description
id String Unique identifier. Read-only.
emailMethods emailAuthenticationMethod collection The email address registered to a user for authentication.
externalAuthenticationMethods externalAuthenticationMethod collection Represents the external MFA registered to a user for authentication using an external identity provider.
fido2Methods fido2AuthenticationMethod collection Represents the FIDO2 security keys registered to a user for authentication.
methods authenticationMethod collection Represents all authentication methods registered to a user.
microsoftAuthenticatorMethods microsoftAuthenticatorAuthenticationMethod collection The details of the Microsoft Authenticator app registered to a user for authentication.
operations longRunningOperation collection Represents the status of a long-running operation, such as a password reset operation.
passwordMethods passwordAuthenticationMethod collection Represents the password registered to a user for authentication. For security, the password itself is never returned in the object, but action can be taken to reset a password.
phoneMethods phoneAuthenticationMethod collection The phone numbers registered to a user for authentication.
platformCredentialMethods platformCredentialAuthenticationMethod collection Represents a platform credential instance registered to a user on Mac OS.
softwareOathMethods softwareOathAuthenticationMethod collection The software OATH time-based one-time password (TOTP) applications registered to a user for authentication.
temporaryAccessPassMethods temporaryAccessPassAuthenticationMethod collection Represents a Temporary Access Pass registered to a user for authentication through time-limited passcodes.
windowsHelloForBusinessMethods windowsHelloForBusinessAuthenticationMethod collection Represents the Windows Hello for Business authentication method registered to a user for authentication.

JSON Representation

Microsoft Graph v1.0 endpoint-derived-docs

JSON representation is shown from stable Microsoft Graph v1.0 metadata.

JSON representation 
{
  "@odata.type": "#microsoft.graph.authentication"
}

Relationships

Microsoft Graph v1.0 endpoint-derived-docs

Relationships is shown from stable Microsoft Graph v1.0 metadata.

Relationship Type Description
emailMethods emailAuthenticationMethod collection The email address registered to a user for authentication.
externalAuthenticationMethods externalAuthenticationMethod collection Represents the external MFA registered to a user for authentication using an external identity provider.
fido2Methods fido2AuthenticationMethod collection Represents the FIDO2 security keys registered to a user for authentication.
methods authenticationMethod collection Represents all authentication methods registered to a user.
microsoftAuthenticatorMethods microsoftAuthenticatorAuthenticationMethod collection The details of the Microsoft Authenticator app registered to a user for authentication.
operations longRunningOperation collection Represents the status of a long-running operation, such as a password reset operation.
passwordMethods passwordAuthenticationMethod collection Represents the password registered to a user for authentication. For security, the password itself is never returned in the object, but action can be taken to reset a password.
platformCredentialMethods platformCredentialAuthenticationMethod collection Represents a platform credential instance registered to a user on Mac OS.
phoneMethods phoneAuthenticationMethod collection The phone numbers registered to a user for authentication.
softwareOathMethods softwareOathAuthenticationMethod collection The software OATH time-based one-time password (TOTP) applications registered to a user for authentication.
temporaryAccessPassMethods temporaryAccessPassAuthenticationMethod collection Represents a Temporary Access Pass registered to a user for authentication through time-limited passcodes.
windowsHelloForBusinessMethods windowsHelloForBusinessAuthenticationMethod collection Represents the Windows Hello for Business authentication method registered to a user for authentication.
hardwareOathMethods hardwareOathAuthenticationMethod collection The hardware OATH time-based one-time password (TOTP) devices assigned to a user for authentication.
passwordlessMicrosoftAuthenticatorMethods passwordlessMicrosoftAuthenticatorAuthenticationMethod collection Represents the Microsoft Authenticator Passwordless Phone Sign-in methods registered to a user for authentication.

Graph Methods

Delegated access App-only access
Exact Microsoft Learn match

Microsoft Graph v1.0 endpoints are mapped directly from refreshed Microsoft Learn permissions tables.

Methods
GET /me/authentication/externalAuthenticationMethods
GET /me/authentication/externalAuthenticationMethods/{externalAuthenticationMethodId}
GET /users/{usersId}/authentication/externalAuthenticationMethods
GET /users/{usersId}/authentication/externalAuthenticationMethods/{externalAuthenticationMethodId}
POST /users/{usersId}/authentication/externalAuthenticationMethods
DELETE /users/{usersId}/authentication/externalAuthenticationMethods/{externalAuthenticationMethodId}/$ref
Exact Microsoft Learn match

Microsoft Graph beta endpoints are mapped directly from refreshed Microsoft Learn permissions tables.

Methods
GET /me/authentication/externalAuthenticationMethods
GET /me/authentication/externalAuthenticationMethods/{externalAuthenticationMethodId}
GET /users/{usersId}/authentication/externalAuthenticationMethods
GET /users/{usersId}/authentication/externalAuthenticationMethods/{externalAuthenticationMethodId}
POST /users/{usersId}/authentication/externalAuthenticationMethods
DELETE /users/{usersId}/authentication/externalAuthenticationMethods/{externalAuthenticationMethodId}/$ref
Exact Microsoft Learn PowerShell match

Microsoft Graph PowerShell v1.0 commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.

Commands
Get-MgUserAuthenticationExternalAuthenticationMethod /me/authentication/externalAuthenticationMethods
List externalAuthenticationMethod objects
Get-MgUserAuthenticationExternalAuthenticationMethod /me/authentication/externalAuthenticationMethods/{externalAuthenticationMethodId}
Get externalAuthenticationMethod
New-MgUserAuthenticationExternalAuthenticationMethod /users/{usersId}/authentication/externalAuthenticationMethods
Create externalAuthenticationMethod
Exact Microsoft Learn PowerShell match

Microsoft Graph PowerShell beta commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.

Commands
Get-MgBetaUserAuthenticationExternalAuthenticationMethod /me/authentication/externalAuthenticationMethods
List externalAuthenticationMethod objects
Get-MgBetaUserAuthenticationExternalAuthenticationMethod /me/authentication/externalAuthenticationMethods/{externalAuthenticationMethodId}
Get externalAuthenticationMethod
New-MgBetaUserAuthenticationExternalAuthenticationMethod /users/{usersId}/authentication/externalAuthenticationMethods
Create externalAuthenticationMethod

Code Examples

C# / .NET SDK
Create externalAuthenticationMethod
View official example on Microsoft Learn
// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Models;

var requestBody = new ExternalAuthenticationMethod
{
	OdataType = "#microsoft.graph.externalAuthenticationMethod",
	ConfigurationId = "26310fee-860b-4eab-8749-ab730dcf335e",
	DisplayName = "Adatum",
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Users["{user-id}"].Authentication.ExternalAuthenticationMethods.PostAsync(requestBody);
JavaScript
Create externalAuthenticationMethod
View official example on Microsoft Learn
const options = {
	authProvider,
};

const client = Client.init(options);

const externalAuthenticationMethod = {
  '@odata.type': '#microsoft.graph.externalAuthenticationMethod',
  configurationId: '26310fee-860b-4eab-8749-ab730dcf335e',
  displayName: 'Adatum'
};

await client.api('/users/{id}/authentication/externalAuthenticationMethods')
	.post(externalAuthenticationMethod);
PowerShell
Create externalAuthenticationMethod
View official example on Microsoft Learn
Import-Module Microsoft.Graph.Identity.SignIns

$params = @{
	"@odata.type" = "#microsoft.graph.externalAuthenticationMethod"
	configurationId = "26310fee-860b-4eab-8749-ab730dcf335e"
	displayName = "Adatum"
}

New-MgUserAuthenticationExternalAuthenticationMethod -UserId $userId -BodyParameter $params
Python
Create externalAuthenticationMethod
View official example on Microsoft Learn
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.external_authentication_method import ExternalAuthenticationMethod
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = ExternalAuthenticationMethod(
	odata_type = "#microsoft.graph.externalAuthenticationMethod",
	configuration_id = "26310fee-860b-4eab-8749-ab730dcf335e",
	display_name = "Adatum",
)

result = await graph_client.users.by_user_id('user-id').authentication.external_authentication_methods.post(request_body)

App Registration

1

Navigate to Azure Portal

Go to App registrations in Microsoft Entra admin center

2

Add API Permission

Select your app → API permissions → Add a permission → Microsoft Graph

3

Select Permission Type

Choose Delegated permissions and search for UserAuthMethod-External.ReadWrite

4

Grant Admin Consent

This delegated permission requires admin consent.