Merge pull request #25827 from microsoftgraph/CRLFailSafeBeta

Added CRL validation in MSGraph doc for CBA

Author: Danielabom

api-reference/beta/api/x509certificateauthenticationmethodconfiguration-get.md

@@ -136,6 +136,10 @@ Content-Type: application/json
     "issuerHintsConfiguration": {
         "state": "disabled"
     },
+    "crlValidationConfiguration": {
+        "state": "disabled",
+        "exemptedCertificateAuthoritiesSubjectKeyIdentifiers": []
+    },
     "includeTargets": [
         {
             "targetType": "group",

api-reference/beta/api/x509certificateauthenticationmethodconfiguration-update.md

@@ -48,6 +48,7 @@ PATCH /policies/authenticationMethodsPolicy/authenticationMethodConfigurations/x
 |:---|:---|:---|
 |authenticationModeConfiguration|[x509CertificateAuthenticationModeConfiguration](../resources/x509certificateauthenticationmodeconfiguration.md)|Defines strong authentication configurations. This configuration includes the default authentication mode and the different rules for strong authentication bindings. |
 |certificateUserBindings|[x509CertificateUserBinding](../resources/x509certificateuserbinding.md) collection|Defines fields in the X.509 certificate that map to attributes of the Microsoft Entra user object in order to bind the certificate to the user. The **priority** of the object determines the order in which the binding is carried out. The first binding that matches will be used and the rest ignored. |
+|crlValidationConfiguration|[x509CertificateCRLValidationConfiguration](../resources/x509certificatecrlvalidationconfiguration.md)|Determines whether certificate based authentication should fail if the issuing CA doesn't have a valid certificate revocation list configured. |
 |issuerHintsConfiguration|[x509CertificateIssuerHintsConfiguration](../resources/x509certificateissuerhintsconfiguration.md)|Determines whether issuer(CA) hints are sent back to the client side to filter the certificates shown in certificate picker. |
 |state|authenticationMethodState|The possible values are: `enabled`, `disabled`. |
 
@@ -108,6 +109,10 @@ Content-Type: application/json
     "issuerHintsConfiguration": {
         "state": "disabled"
     },
+    "crlValidationConfiguration": {
+        "state": "disabled",
+        "exemptedCertificateAuthoritiesSubjectKeyIdentifiers": []
+    },
     "includeTargets": [
         {
             "targetType": "group",

api-reference/beta/resources/enums.md

@@ -1853,6 +1853,14 @@ Namespace: microsoft.graph
 | enabled |
 | unknownFutureValue |
 
+### x509CertificateCRLValidationConfigurationState values
+
+| Member |
+| ---- |
+| disabled |
+| enabled |
+| unknownFutureValue |
+
 ### anniversaryType values
 
 | Member |

api-reference/beta/resources/x509certificateauthenticationmethodconfiguration.md

@@ -33,6 +33,7 @@ Inherits from [authenticationMethodConfiguration](../resources/authenticationmet
 |:---|:---|:---|
 |authenticationModeConfiguration|[x509CertificateAuthenticationModeConfiguration](../resources/x509certificateauthenticationmodeconfiguration.md)|Defines strong authentication configurations. This configuration includes the default authentication mode and the different rules for strong authentication bindings. |
 |certificateUserBindings|[x509CertificateUserBinding](../resources/x509certificateuserbinding.md) collection|Defines fields in the X.509 certificate that map to attributes of the Microsoft Entra user object in order to bind the certificate to the user. The **priority** of the object determines the order in which the binding is carried out. The first binding that matches will be used and the rest ignored. |
+|crlValidationConfiguration|[x509CertificateCRLValidationConfiguration](../resources/x509certificatecrlvalidationconfiguration.md)|Determines whether certificate based authentication should fail if the issuing CA doesn't have a valid certificate revocation list configured. |
 |excludeTargets|[excludeTarget](../resources/excludetarget.md) collection|Groups of users that are excluded from the policy.|
 |id|String|The identifier for the authentication method policy. The value is always `X509Certificate`. Inherited from [authenticationMethodConfiguration](../resources/authenticationmethodconfiguration.md). |
 |issuerHintsConfiguration|[x509CertificateIssuerHintsConfiguration](../resources/x509certificateissuerhintsconfiguration.md)|Determines whether issuer(CA) hints are sent back to the client side to filter the certificates shown in certificate picker. |
@@ -74,6 +75,9 @@ The following is a JSON representation of the resource.
   },
   "issuerHintsConfiguration": {
     "@odata.type": "microsoft.graph.x509CertificateIssuerHintsConfiguration"
+  },
+  "crlValidationConfiguration": {
+    "@odata.type": "microsoft.graph.x509CertificateCRLValidationConfiguration"
   }
 }
 ```

api-reference/beta/resources/x509certificatecrlvalidationconfiguration.md

@@ -0,0 +1,43 @@
+---
+title: "x509CertificateCRLValidationConfiguration resource type"
+description: "Determines whether certificate-based authentication should fail if the issuing CA doesn't have a valid certificate revocation list (CRL) configured."
+author: "vimrang"
+ms.localizationpriority: medium
+ms.subservice: "entra-sign-in"
+doc_type: resourcePageType
+ms.date: 04/05/2024
+---
+
+# x509CertificateCRLValidationConfiguration resource type
+
+Namespace: microsoft.graph
+
+[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
+
+Determines whether certificate-based authentication should fail if the issuing Certificate Authority (CA) doesn't have a valid certificate revocation list (CRL) configured. Includes the subject key identifier (SKI) of the CAs that should be exempted from CRL validation.
+ 
+## Properties
+|Property|Type|Description|
+|:---|:---|:---|
+|exemptedCertificateAuthoritiesSubjectKeyIdentifiers| String collection|Represents the SKIs of CAs that should be excluded from the valid CRL distribution point check. SKI is represented as a hexadecimal string.|
+|state|x509CertificateCRLValidationConfigurationState|The possible values are: `disabled`, `enabled`, `unknownFutureValue`.|
+
+## Relationships
+None.
+
+## JSON representation
+The following JSON representation shows the resource type.
+<!-- {
+  "blockType": "resource",
+  "@odata.type": "microsoft.graph.x509CertificateCRLValidationConfiguration"
+}
+-->
+``` json
+{
+  "@odata.type": "#microsoft.graph.x509CertificateCRLValidationConfiguration",
+  "exemptedCertificateAuthoritiesSubjectKeyIdentifiers": [
+    "String"
+  ],
+  "state": "String"
+}
+```

changelog/Microsoft.AuthenticationMethodsPolicy.json

@@ -1,5 +1,39 @@
 {
   "changelog": [
+    {
+      "ChangeList": [
+        {
+          "Id": "2cbecfbd-2d27-4fb9-bef3-294d2bb54e41",
+          "ApiChange": "Enumeration",
+          "ChangedApiName": "x509CertificateCRLValidationConfigurationState",
+          "ChangeType": "Addition",
+          "Description": "Added the **x509CertificateCRLValidationConfigurationState** enumeration type.",
+          "Target": "x509CertificateCRLValidationConfigurationState"
+        },
+        {
+          "Id": "2cbecfbd-2d27-4fb9-bef3-294d2bb54e41",
+          "ApiChange": "Resource",
+          "ChangedApiName": "x509CertificateCRLValidationConfiguration",
+          "ChangeType": "Addition",
+          "Description": "Added the [x509CertificateCRLValidationConfiguration](https://learn.microsoft.com/en-us/graph/api/resources/x509CertificateCRLValidationConfiguration?view=graph-rest-beta) resource.",
+          "Target": "x509CertificateCRLValidationConfiguration"
+        },
+        {
+          "Id": "2cbecfbd-2d27-4fb9-bef3-294d2bb54e41",
+          "ApiChange": "Property",
+          "ChangedApiName": "crlValidationConfiguration",
+          "ChangeType": "Addition",
+          "Description": "Added the **crlValidationConfiguration** property to the [x509CertificateAuthenticationMethodConfiguration](https://learn.microsoft.com/en-us/graph/api/resources/x509CertificateAuthenticationMethodConfiguration?view=graph-rest-beta) resource.",
+          "Target": "x509CertificateAuthenticationMethodConfiguration"
+        }
+      ],
+      "Id": "2cbecfbd-2d27-4fb9-bef3-294d2bb54e41",
+      "Cloud": "Prod",
+      "Version": "beta",
+      "CreatedDateTime": "2024-12-03T22:45:55.1918452Z",
+      "WorkloadArea": "Identity and access",
+      "SubArea": "Identity and sign-in"
+    },
     {
       "ChangeList": [
         {