Merging changes synced from https://github.com/microsoftgraph/microsoft-graph-docs (branch live)

Learn Build Service GitHub App · Learn Build Service GitHub App · commit 58a9e39280ef · 2026-05-08T08:39:32.000Z
diff --git a/api-reference/beta/api/message-replyall.md b/api-reference/beta/api/message-replyall.md
@@ -39,6 +39,7 @@ Choose the permission or permissions marked as least privileged for this API. Us
 ## HTTP request
 <!-- { "blockType": "ignored" } -->
 ```http
+POST /me/messages/{id}/replyAll
 POST /users/{id | userPrincipalName}/messages/{id}/replyAll
 POST /me/mailFolders/{id}/messages/{id}/replyAll
 POST /users/{id | userPrincipalName}/mailFolders/{id}/messages/{id}/replyAll
diff --git a/api-reference/v1.0/api/message-replyall.md b/api-reference/v1.0/api/message-replyall.md
@@ -37,6 +37,7 @@ Choose the permission or permissions marked as least privileged for this API. Us
 ## HTTP request
 <!-- { "blockType": "ignored" } -->
 ```http
+POST /me/messages/{id}/replyAll
 POST /users/{id | userPrincipalName}/messages/{id}/replyAll
 POST /me/mailFolders/{id}/messages/{id}/replyAll
 POST /users/{id | userPrincipalName}/mailFolders/{id}/messages/{id}/replyAll
diff --git a/api-reference/v1.0/api/x509certificateauthenticationmethodconfiguration-get.md b/api-reference/v1.0/api/x509certificateauthenticationmethodconfiguration-get.md
@@ -5,7 +5,7 @@ author: "vimrang"
 ms.localizationpriority: medium
 ms.subservice: "entra-sign-in"
 doc_type: apiPageType
-ms.date: 03/10/2025
+ms.date: 12/09/2025
 ---
 
 # Get x509CertificateAuthenticationMethodConfiguration
@@ -50,8 +50,6 @@ If successful, this method returns a `200 OK` response code and a [x509Certifica
 ## Examples
 
 ### Request
-
-# [HTTP](#tab/http)
 <!-- {
   "blockType": "request",
   "name": "get_x509certificateauthenticationmethodconfiguration"
@@ -61,36 +59,6 @@ If successful, this method returns a `200 OK` response code and a [x509Certifica
 GET https://graph.microsoft.com/v1.0/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/x509Certificate
 ```
 
-# [C#](#tab/csharp)
-[!INCLUDE [sample-code](../includes/snippets/csharp/get-x509certificateauthenticationmethodconfiguration-csharp-snippets.md)]
-[!INCLUDE [sdk-documentation](../includes/snippets/snippets-sdk-documentation-link.md)]
-
-# [Go](#tab/go)
-[!INCLUDE [sample-code](../includes/snippets/go/get-x509certificateauthenticationmethodconfiguration-go-snippets.md)]
-[!INCLUDE [sdk-documentation](../includes/snippets/snippets-sdk-documentation-link.md)]
-
-# [Java](#tab/java)
-[!INCLUDE [sample-code](../includes/snippets/java/get-x509certificateauthenticationmethodconfiguration-java-snippets.md)]
-[!INCLUDE [sdk-documentation](../includes/snippets/snippets-sdk-documentation-link.md)]
-
-# [JavaScript](#tab/javascript)
-[!INCLUDE [sample-code](../includes/snippets/javascript/get-x509certificateauthenticationmethodconfiguration-javascript-snippets.md)]
-[!INCLUDE [sdk-documentation](../includes/snippets/snippets-sdk-documentation-link.md)]
-
-# [PHP](#tab/php)
-[!INCLUDE [sample-code](../includes/snippets/php/get-x509certificateauthenticationmethodconfiguration-php-snippets.md)]
-[!INCLUDE [sdk-documentation](../includes/snippets/snippets-sdk-documentation-link.md)]
-
-# [PowerShell](#tab/powershell)
-[!INCLUDE [sample-code](../includes/snippets/powershell/get-x509certificateauthenticationmethodconfiguration-powershell-snippets.md)]
-[!INCLUDE [sdk-documentation](../includes/snippets/snippets-sdk-documentation-link.md)]
-
-# [Python](#tab/python)
-[!INCLUDE [sample-code](../includes/snippets/python/get-x509certificateauthenticationmethodconfiguration-python-snippets.md)]
-[!INCLUDE [sdk-documentation](../includes/snippets/snippets-sdk-documentation-link.md)]
-
----
-
 ### Response
 The following response object shows an x509CertificateAuthenticationMethodConfiguration with its default configuration.
 >**Note:** The response object shown here might be shortened for readability.
@@ -129,6 +97,18 @@ Content-Type: application/json
         "state": "disabled",
         "exemptedCertificateAuthoritiesSubjectKeyIdentifiers": []
     },
+    "certificateAuthorityScopes": [
+        {
+            "subjectKeyIdentifier": "aaaaaaaabbbbcccc111122222222222222333333",
+            "publicKeyInfrastructureIdentifier": "Contoso PKI",
+            "includeTargets": [
+            {
+                "id": "aaaaaaaa-bbbb-cccc-1111-222222222222",
+                "targetType": "group"
+            }
+            ]
+        } 
+    ],
     "includeTargets": [
         {
             "targetType": "group",
@@ -138,5 +118,4 @@ Content-Type: application/json
     ],
     "excludeTargets": []
 }
-```
-
+```
diff --git a/api-reference/v1.0/api/x509certificateauthenticationmethodconfiguration-update.md b/api-reference/v1.0/api/x509certificateauthenticationmethodconfiguration-update.md
@@ -43,14 +43,15 @@ The following properties can be updated.
 
 |Property|Type|Description|
 |:---|:---|:---|
-|state|authenticationMethodState|The possible values are: `enabled`, `disabled`. Inherited from [authenticationMethodConfiguration](../resources/authenticationmethodconfiguration.md).|
+|certificateAuthorityScopes|[x509CertificateAuthorityScope](../resources/x509certificateauthorityscope.md) collection|Defines configuration to allow a group of users to use certificates from specific issuing certificate authorities to successfully authenticate. |
 |certificateUserBindings|[x509CertificateUserBinding](../resources/x509certificateuserbinding.md) collection|Defines fields in the X.509 certificate that map to attributes of the Microsoft Entra user object in order to bind the certificate to the user. The **priority** of the object determines the order in which the binding is carried out. The first binding that matches will be used and the rest ignored. |
 |authenticationModeConfiguration|[x509CertificateAuthenticationModeConfiguration](../resources/x509certificateauthenticationmodeconfiguration.md)|Defines strong authentication configurations. This configuration includes the default authentication mode and the different rules for strong authentication bindings. |
 |crlValidationConfiguration|[x509CertificateCRLValidationConfiguration](../resources/x509certificatecrlvalidationconfiguration.md)|Determines whether certificate based authentication should fail if the issuing CA doesn't have a valid certificate revocation list configured. |
+|issuerHintsConfiguration|[x509CertificateIssuerHintsConfiguration](../resources/x509certificateissuerhintsconfiguration.md)|Determines whether issuer(CA) hints are sent back to the client side to filter the certificates shown in certificate picker. |
+|state|authenticationMethodState|The possible values are: `enabled`, `disabled`. Inherited from [authenticationMethodConfiguration](../resources/authenticationmethodconfiguration.md).|
 
 >**Note:** The `@odata.type` property with a value of `#microsoft.graph.x509CertificateAuthenticationMethodConfiguration` must be included in the body.
 
-
 ## Response
 If successful, this method returns a `204 No Content` response code. It doesn't return anything in the response body.
 
@@ -64,13 +65,12 @@ The following is an example of an update request with the following settings:
 + Defines multi-factor authentication as requirement.
 + Configures the binding rules for the strong authentication method against the rule type.
 
-
-# [HTTP](#tab/http)
 <!-- {
   "blockType": "request",
   "name": "update_x509certificateauthenticationmethodconfiguration"
 }
 -->
+
 ```http
 PATCH https://graph.microsoft.com/v1.0/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/x509Certificate
 Content-Type: application/json
@@ -101,6 +101,21 @@ Content-Type: application/json
             }
         ]
     },
+    "certificateAuthorityScopes": [
+        {
+            "subjectKeyIdentifier": "aaaaaaaabbbbcccc111122222222222222333333",
+            "publicKeyInfrastructureIdentifier": "Contoso PKI",
+            "includeTargets": [
+            {
+                "id": "aaaaaaaa-bbbb-cccc-1111-222222222222",
+                "targetType": "group"
+            }
+            ]
+        }
+    ],
+    "issuerHintsConfiguration": {
+        "state": "enabled"
+    },
     "crlValidationConfiguration": {
         "state": "disabled",
         "exemptedCertificateAuthoritiesSubjectKeyIdentifiers": []
@@ -115,36 +130,6 @@ Content-Type: application/json
 }
 ```
 
-# [C#](#tab/csharp)
-[!INCLUDE [sample-code](../includes/snippets/csharp/update-x509certificateauthenticationmethodconfiguration-csharp-snippets.md)]
-[!INCLUDE [sdk-documentation](../includes/snippets/snippets-sdk-documentation-link.md)]
-
-# [Go](#tab/go)
-[!INCLUDE [sample-code](../includes/snippets/go/update-x509certificateauthenticationmethodconfiguration-go-snippets.md)]
-[!INCLUDE [sdk-documentation](../includes/snippets/snippets-sdk-documentation-link.md)]
-
-# [Java](#tab/java)
-[!INCLUDE [sample-code](../includes/snippets/java/update-x509certificateauthenticationmethodconfiguration-java-snippets.md)]
-[!INCLUDE [sdk-documentation](../includes/snippets/snippets-sdk-documentation-link.md)]
-
-# [JavaScript](#tab/javascript)
-[!INCLUDE [sample-code](../includes/snippets/javascript/update-x509certificateauthenticationmethodconfiguration-javascript-snippets.md)]
-[!INCLUDE [sdk-documentation](../includes/snippets/snippets-sdk-documentation-link.md)]
-
-# [PHP](#tab/php)
-[!INCLUDE [sample-code](../includes/snippets/php/update-x509certificateauthenticationmethodconfiguration-php-snippets.md)]
-[!INCLUDE [sdk-documentation](../includes/snippets/snippets-sdk-documentation-link.md)]
-
-# [PowerShell](#tab/powershell)
-[!INCLUDE [sample-code](../includes/snippets/powershell/update-x509certificateauthenticationmethodconfiguration-powershell-snippets.md)]
-[!INCLUDE [sdk-documentation](../includes/snippets/snippets-sdk-documentation-link.md)]
-
-# [Python](#tab/python)
-[!INCLUDE [sample-code](../includes/snippets/python/update-x509certificateauthenticationmethodconfiguration-python-snippets.md)]
-[!INCLUDE [sdk-documentation](../includes/snippets/snippets-sdk-documentation-link.md)]
-
----
-
 ### Response
 <!-- {
   "blockType": "response"
diff --git a/api-reference/v1.0/resources/enums.md b/api-reference/v1.0/resources/enums.md
@@ -3,7 +3,7 @@ title: "Enum values"
 description: "Microsoft Graph enumeration values."
 ms.localizationpriority: medium
 ms.subservice: "non-product-specific"
-ms.date: 12/02/2025
+ms.date: 01/20/2026
 author: "MSGraphDocsvTeam"
 doc_type: enumPageType
 ms.custom: sfi-ropc-nochange
@@ -877,6 +877,14 @@ Namespace: microsoft.graph
 | policyOID |
 | unknownFutureValue |
 
+### x509CertificateIssuerHintsState values
+
+| Member |
+| ---- |
+| disabled |
+| enabled |
+| unknownFutureValue |
+
 ### x509CertificateCRLValidationConfigurationState values
 
 | Member |
diff --git a/api-reference/v1.0/resources/includetarget.md b/api-reference/v1.0/resources/includetarget.md
@@ -0,0 +1,42 @@
+---
+title: "includeTarget resource type"
+description: "Defines the users and groups that are included in a set of changes."
+author: "msft-poulomi"
+ms.localizationpriority: medium
+ms.subservice: "entra-sign-in"
+doc_type: resourcePageType
+ms.date: 12/09/2024
+---
+
+# includeTarget resource type
+
+Namespace: microsoft.graph
+
+Defines the users and groups that are included in a set of changes.
+
+## Properties
+
+|Property|Type|Description|
+|:---|:---|:---|
+|id|String|The ID of the entity targeted.|
+|targetType|authenticationMethodTargetType|The kind of entity targeted. The possible values are: `user`, `group`.|
+
+## Relationships
+
+None.
+
+## JSON representation
+
+The following JSON representation shows the resource type.
+<!-- {
+  "blockType": "resource",
+  "@odata.type": "microsoft.graph.includeTarget"
+}
+-->
+``` json
+{
+  "@odata.type": "#microsoft.graph.includeTarget",
+  "id": "String (identifier)",
+  "targetType": "String"
+}
+```
diff --git a/api-reference/v1.0/resources/x509certificateauthenticationmethodconfiguration.md b/api-reference/v1.0/resources/x509certificateauthenticationmethodconfiguration.md
@@ -30,19 +30,22 @@ Inherits from [authenticationMethodConfiguration](../resources/authenticationmet
 |Property|Type|Description|
 |:---|:---|:---|
 |authenticationModeConfiguration|[x509CertificateAuthenticationModeConfiguration](../resources/x509certificateauthenticationmodeconfiguration.md)|Defines strong authentication configurations. This configuration includes the default authentication mode and the different rules for strong authentication bindings. |
+|certificateAuthorityScopes|[x509CertificateAuthorityScope](../resources/x509certificateauthorityscope.md) collection|Defines configuration to allow a group of users to use certificates from specific issuing certificate authorities to successfully authenticate. |
 |certificateUserBindings|[x509CertificateUserBinding](../resources/x509certificateuserbinding.md) collection|Defines fields in the X.509 certificate that map to attributes of the Microsoft Entra user object in order to bind the certificate to the user. The **priority** of the object determines the order in which the binding is carried out. The first binding that matches will be used and the rest ignored. |
 |crlValidationConfiguration|[x509CertificateCRLValidationConfiguration](../resources/x509certificatecrlvalidationconfiguration.md)|Determines whether certificate based authentication should fail if the issuing CA doesn't have a valid certificate revocation list configured. |
 |excludeTargets|[excludeTarget](../resources/excludetarget.md) collection|Groups of users that are excluded from the policy.|
-|id|String|The identifier for the authentication method policy. The value is always `X509Certificate`. Inherited from
+|id|String|The identifier for the authentication method policy. The value is always `X509Certificate`. Inherited from [authenticationMethodConfiguration](../resources/authenticationmethodconfiguration.md). |
+|issuerHintsConfiguration|[x509CertificateIssuerHintsConfiguration](../resources/x509certificateissuerhintsconfiguration.md)|Determines whether issuer(CA) hints are sent back to the client side to filter the certificates shown in certificate picker. |
 |state|authenticationMethodState|The possible values are: `enabled`, `disabled`. Inherited from [authenticationMethodConfiguration](../resources/authenticationmethodconfiguration.md).|
 
 ## Relationships
+
 |Relationship|Type|Description|
 |:---|:---|:---|
 |includeTargets|[authenticationMethodTarget](../resources/authenticationmethodtarget.md) collection|A collection of groups that are enabled to use the authentication method.|
 
+## JSON representation
 The following JSON representation shows the resource type.
-The following is a JSON representation of the resource.
 <!-- {
   "blockType": "resource",
   "keyProperty": "id",
@@ -54,23 +57,31 @@ The following is a JSON representation of the resource.
 ``` json
 {
   "@odata.type": "#microsoft.graph.x509CertificateAuthenticationMethodConfiguration",
-  "authenticationModeConfiguration": {
-    "@odata.type": "microsoft.graph.x509CertificateAuthenticationModeConfiguration"
-  },
+  "id": "String (identifier)",
+  "state": "String",
+  "excludeTargets": [
+    {
+      "@odata.type": "microsoft.graph.excludeTarget"
+    }
+  ],
   "certificateUserBindings": [
     {
       "@odata.type": "microsoft.graph.x509CertificateUserBinding"
     }
   ],
-  "crlValidationConfiguration": {
-    "@odata.type": "microsoft.graph.x509CertificateCRLValidationConfiguration"
+  "authenticationModeConfiguration": {
+    "@odata.type": "microsoft.graph.x509CertificateAuthenticationModeConfiguration"
   },
-  "excludeTargets": [
+  "issuerHintsConfiguration": {
+    "@odata.type": "microsoft.graph.x509CertificateIssuerHintsConfiguration"
+  },
+  "certificateAuthorityScopes": [
     {
-      "@odata.type": "microsoft.graph.excludeTarget"
+      "@odata.type": "microsoft.graph.x509CertificateAuthorityScope"
     }
   ],
-  "id": "String (identifier)",
-  "state": "String"
+  "crlValidationConfiguration": {
+    "@odata.type": "microsoft.graph.x509CertificateCRLValidationConfiguration"
+  }
 }
 ```
diff --git a/api-reference/v1.0/resources/x509certificateauthorityscope.md b/api-reference/v1.0/resources/x509certificateauthorityscope.md
@@ -0,0 +1,47 @@
+---
+title: "x509CertificateAuthorityScope resource type"
+description: "Defines configuration to allow a group of users to use certificates from specific issuing certificate authorities to successfully authenticate. "
+author: "vimrang"
+ms.date: 12/09/2025
+ms.localizationpriority: medium
+ms.subservice: "entra-sign-in"
+doc_type: resourcePageType
+toc.title: X509 certificate
+toc.keywords: [ certificate-based authentication, CBA ]
+---
+
+# x509CertificateAuthorityScope resource type
+
+Namespace: microsoft.graph
+
+Defines configuration to allow a group of users to use certificates from specific issuing certificate authorities to successfully authenticate. Configured on the [x509CertificateAuthenticationMethodConfiguration resource type](../resources/x509CertificateAuthenticationMethodConfiguration.md).
+
+## Properties
+|Property|Type|Description|
+|:---|:---|:---|
+|includeTargets|[includeTarget](../resources/includetarget.md) collection|A collection of groups that are enabled to be in scope to use certificates issued by specific certificate authority.|
+|publicKeyInfrastructureIdentifier|String|Public Key Infrastructure container object under which the certificate authorities are stored in the Entra PKI based trust store.|
+|subjectKeyIdentifier|String|Subject Key Identifier that identifies the certificate authority uniquely.|
+
+## Relationships
+None.
+
+## JSON representation
+The following JSON representation shows the resource type.
+<!-- {
+  "blockType": "resource",
+  "@odata.type": "microsoft.graph.x509CertificateAuthorityScope"
+}
+-->
+``` json
+{
+    "@odata.type": "#microsoft.graph.x509CertificateAuthorityScope",
+    "subjectKeyIdentifier": "String",
+    "publicKeyInfrastructureIdentifier": "String",
+    "includeTargets": [
+    {
+        "@odata.type": "microsoft.graph.includeTarget"
+    }
+    ]
+}
+```
diff --git a/api-reference/v1.0/resources/x509certificatecrlvalidationconfiguration.md b/api-reference/v1.0/resources/x509certificatecrlvalidationconfiguration.md
@@ -5,14 +5,14 @@ author: "vimrang"
 ms.localizationpriority: medium
 ms.subservice: "entra-sign-in"
 doc_type: resourcePageType
-ms.date: 03/10/2025
+ms.date: 12/09/2025
 ---
 
 # x509CertificateCRLValidationConfiguration resource type
 
 Namespace: microsoft.graph
 
-Determines whether certificate-based authentication should fail if the issuing Certificate Authority (CA) doesn't have a valid certificate revocation list (CRL) configured. Includes the subject key identifier (SKI) of the CAs that should be exempted from CRL validation.
+Determines whether certificate-based authentication should fail if the issuing Certificate Authority (CA) doesn't have a valid certificate revocation list (CRL) configured. Includes the subject key identifier (SKI) of the CAs that should be exempted from CRL validation. Configured on the [x509CertificateAuthenticationMethodConfiguration resource type](../resources/x509CertificateAuthenticationMethodConfiguration.md).
 
 ## Properties
 |Property|Type|Description|
@@ -38,4 +38,4 @@ The following JSON representation shows the resource type.
   ],
   "state": "String"
 }
-```
+```
diff --git a/api-reference/v1.0/resources/x509certificateissuerhintsconfiguration.md b/api-reference/v1.0/resources/x509certificateissuerhintsconfiguration.md
diff --git a/changelog/Microsoft.AuthenticationMethodsPolicy.json b/changelog/Microsoft.AuthenticationMethodsPolicy.json
diff --git a/concepts/whats-new-overview.md b/concepts/whats-new-overview.md
