Merge pull request #28858 from microsoftgraph/main

learn-build-service-prod[bot] · web-flow · commit 8a87f9e00eb7 · 2026-05-12T00:35:16.000Z
Auto Publish – main to live - 2026-05-12 00:30 UTC
diff --git a/api-reference/beta/resources/signin.md b/api-reference/beta/resources/signin.md
@@ -42,7 +42,7 @@ The [Microsoft Entra data retention policies](/azure/active-directory/reports-mo
 |appliedConditionalAccessPolicies|[appliedConditionalAccessPolicy](appliedconditionalaccesspolicy.md) collection|A list of conditional access policies that the corresponding sign-in activity triggers. Apps need more Conditional Access-related privileges to read the details of this property. For more information, see [Permissions for viewing applied conditional access (CA) policies in sign-ins](../api/signin-list.md#permissions).|
 |appOwnerTenantId|String|The identifier of the tenant that owns the client application. <br/><br/> Supports `$filter` (`eq`).|
 |appliedEventListeners|[appliedAuthenticationEventListener](../resources/appliedauthenticationeventlistener.md) collection|Detailed information about the listeners, such as Azure Logic Apps and Azure Functions, which the corresponding events in the sign-in event triggered.|
-|appTokenProtectionStatus|tokenProtectionStatus|Token protection creates a cryptographically secure tie between the token and the device it's issued to. This field indicates whether the app token was bound to the device.|
+|appTokenProtectionStatus|tokenProtectionStatus|Deprecated. Use **tokenProtectionStatusDetails** instead. Token protection creates a cryptographically secure tie between the token and the device it's issued to. This field indicates whether the app token was bound to the device.|
 |authenticationAppDeviceDetails|[authenticationAppDeviceDetails](../resources/authenticationappdevicedetails.md)|Provides details about the app and device used during a Microsoft Entra authentication step.|
 |authenticationAppPolicyEvaluationDetails|[authenticationAppPolicyDetails](../resources/authenticationapppolicydetails.md) collection|Provides details of the Microsoft Entra policies applied to a user and client authentication app during an authentication step.|
 |authenticationContextClassReferences|[authenticationContext](authenticationcontext.md) collection|Contains a collection of values that represent the conditional access authentication contexts applied to the sign-in.|
@@ -100,10 +100,11 @@ The [Microsoft Entra data retention policies](/azure/active-directory/reports-mo
 |sessionId|String|Identifier of the session that was generated during the sign-in.|
 |signInIdentifier|String|The identification that the user provided to sign in. It can be the userPrincipalName, but is also populated when a user signs in using other identifiers.|
 |signInIdentifierType|signInIdentifierType|The type of sign in identifier. The possible values are: `userPrincipalName`, `phoneNumber`, `proxyAddress`, `qrCode`, `onPremisesUserPrincipalName`, `unknownFutureValue`.|
-|signInTokenProtectionStatus|tokenProtectionStatus|Token protection creates a cryptographically secure tie between the token and the device it's issued to. This field indicates whether the signin token was bound to the device or not. The possible values are: `none`, `bound`, `unbound`, `unknownFutureValue`.|
+|signInTokenProtectionStatus|tokenProtectionStatus|Deprecated. Use **tokenProtectionStatusDetails** instead. Token protection creates a cryptographically secure tie between the token and the device it's issued to. This field indicates whether the sign-in token was bound to the device. The possible values are: `none`, `bound`, `unbound`, `unknownFutureValue`.|
 |status|[signInStatus](signinstatus.md)|The sign-in status. Includes the error code and description of the error (for a sign-in failure). <br/><br/> Supports `$filter` (`eq`) on **errorCode** property.|
 |tokenIssuerName|String|The name of the identity provider. For example, `sts.microsoft.com`. <br/><br/> Supports `$filter` (`eq`).|
 |tokenIssuerType|tokenIssuerType|The type of identity provider. The possible values are: `AzureAD`, `ADFederationServices`, `UnknownFutureValue`, `AzureADBackupAuth`, `ADFederationServicesMFAAdapter`, `NPSExtension`. Use the `Prefer: include-unknown-enum-members` request header to get the following values in this [evolvable enum](/graph/best-practices-concept#handling-future-members-in-evolvable-enumerations): `AzureADBackupAuth` , `ADFederationServicesMFAAdapter` , `NPSExtension`.|
+|tokenProtectionStatusDetails|[tokenProtectionStatusDetails](../resources/tokenprotectionstatusdetails.md)|The status of the token protection for a request in the sign-in logs. For more information, see [Conditional Access: Token Protection](/entra/identity/conditional-access/concept-token-protection).|
 |uniqueTokenIdentifier|String|A unique base64-encoded request identifier used to track tokens issued by Microsoft Entra ID as they're redeemed at resource providers.|
 |userAgent|String|The user agent information related to sign-in. <br/><br/> Supports `$filter` (`eq`, `startsWith`).|
 |userDisplayName|String|The display name of the user. <br/><br/> Supports `$filter` (`eq`, `startsWith`).|
@@ -240,6 +241,9 @@ The following JSON representation shows the resource type.
   },
   "tokenIssuerName": "String",
   "tokenIssuerType": "String",
+  "tokenProtectionStatusDetails": {
+    "@odata.type": "microsoft.graph.tokenProtectionStatusDetails"
+  },
   "userAgent": "String",
   "userDisplayName": "String",
   "userId": "String",
diff --git a/api-reference/beta/resources/tokenprotectionstatusdetails.md b/api-reference/beta/resources/tokenprotectionstatusdetails.md
@@ -0,0 +1,48 @@
+---
+title: "tokenProtectionStatusDetails resource type"
+description: "Represents the status of token protection for a request in sign-in logs."
+author: "paulgarn"
+ms.localizationpriority: medium
+ms.subservice: "entra-monitoring-health"
+ms.date: 05/11/2026
+doc_type: resourcePageType
+---
+
+# tokenProtectionStatusDetails resource type
+
+Namespace: microsoft.graph
+
+[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
+
+ The status of token protection for a request in the sign-in logs. `bound` requests pass a conditional access session control for token protection. More detail might be provided in the **signInSessionStatusCode** property. For more information, see [Conditional Access: Token Protection](/entra/identity/conditional-access/concept-token-protection).
+
+## Methods
+
+None.
+
+## Properties
+
+|Property|Type|Description|
+|:---|:---|:---|
+|signInSessionStatus|tokenProtectionStatus|The token protection status of the sign-in session. The possible values are: `none`, `bound`, `unbound`, `unknownFutureValue`.|
+|signInSessionStatusCode|Int32|Additional information about the status.|
+
+## Relationships
+
+None.
+
+## JSON representation
+
+The following JSON representation shows the resource type.
+<!-- {
+  "blockType": "resource",
+  "@odata.type": "microsoft.graph.tokenProtectionStatusDetails"
+}
+-->
+``` json
+{
+  "@odata.type": "#microsoft.graph.tokenProtectionStatusDetails",
+  "signInSessionStatus": "String",
+  "signInSessionStatusCode": "Integer"
+}
+```
diff --git a/api-reference/beta/toc/toc.mapping.json b/api-reference/beta/toc/toc.mapping.json
@@ -2792,6 +2792,9 @@
                 "signInEventsActivity",
                 "signInEventsAppActivity",
                 "summarizedSignIn"
+              ],
+              "complexTypes": [
+                "tokenProtectionStatusDetails"
               ]
             }
           ]

Original file line number	Diff line number	Diff line change
`@@ -2792,6 +2792,9 @@`
`2792`	`2792`	`"signInEventsActivity",`
`2793`	`2793`	`"signInEventsAppActivity",`
`2794`	`2794`	`"summarizedSignIn"`
	`2795`	`+ ],`
	`2796`	`+ "complexTypes": [`
	`2797`	`+ "tokenProtectionStatusDetails"`
`2795`	`2798`	`]`
`2796`	`2799`	`}`
`2797`	`2800`	`]`