V1.0 CA scope for CBA (#27891)

vimrang · FaithOmbongi · Copilot · web-flow · commit c2ee764df548 · 2026-05-08T11:22:34.000+03:00
* V1.0 CA scope for CBA * added includeTarget" * added changeLog * removed HTTP tab marker and boundary marker * fixed validation errors * fixed validation errors * fixed API doctor validation errors * addressed review comments * added issuer hints config as per dev PR * updated enum * fixed Missing resource issue * updated enum * fix JSON representation * Update x509certificateauthenticationmethodconfiguration.md * Cross-link complex type to entity type * Update x509certificateauthorityscope.md * Update x509certificatecrlvalidationconfiguration.md * cross-link to parent Added reference to x509CertificateAuthenticationMethodConfiguration resource type. * Update Microsoft.AuthenticationMethodsPolicy.json * Initial plan * Add what's new entry for certificate-based authentication updates Co-authored-by: FaithOmbongi <14026935+FaithOmbongi@users.noreply.github.com> * Fix resource URLs to use lowercase Co-authored-by: FaithOmbongi <14026935+FaithOmbongi@users.noreply.github.com> * Apply suggestion from @FaithOmbongi * Apply suggestion from @FaithOmbongi * Update Microsoft.AuthenticationMethodsPolicy.json Added new properties to the x509CertificateAuthenticationMethodConfiguration resource. * Update Microsoft.AuthenticationMethodsPolicy.json * fixed validation error in changelog * fixed validation error in changelog for dev PR * Apply suggestion from @FaithOmbongi * Add x509CertificateAuthenticationMethodConfiguration entry to whats-new-overview.md Co-authored-by: FaithOmbongi <14026935+FaithOmbongi@users.noreply.github.com> * Restore deleted changelog entries and add new entries Restored the d7bfd87d (passkey profiles) and 388131f4 (x509CertificateAuthorityScope) changelog entries that were accidentally deleted when the new a1291988 entry was added. Also fixed JSON formatting issues. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Danipocket <88507770+Danipocket@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Co-authored-by: Danipocket <88507770+Danipocket@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Faith Moraa Ombongi <ombongi.moraa.fe@gmail.com> * Reset changelog and readd --------- Co-authored-by: Faith Moraa Ombongi <ombongi.moraa.fe@gmail.com> Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: FaithOmbongi <14026935+FaithOmbongi@users.noreply.github.com> Co-authored-by: Vimala Ranganathan <vranganathan@microsoft.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: Danipocket <88507770+Danipocket@users.noreply.github.com> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
diff --git a/api-reference/v1.0/api/x509certificateauthenticationmethodconfiguration-get.md b/api-reference/v1.0/api/x509certificateauthenticationmethodconfiguration-get.md
@@ -5,7 +5,7 @@ author: "vimrang"
 ms.localizationpriority: medium
 ms.subservice: "entra-sign-in"
 doc_type: apiPageType
-ms.date: 03/10/2025
+ms.date: 12/09/2025
 ---
 
 # Get x509CertificateAuthenticationMethodConfiguration
@@ -50,8 +50,6 @@ If successful, this method returns a `200 OK` response code and a [x509Certifica
 ## Examples
 
 ### Request
-
-# [HTTP](#tab/http)
 <!-- {
   "blockType": "request",
   "name": "get_x509certificateauthenticationmethodconfiguration"
@@ -61,36 +59,6 @@ If successful, this method returns a `200 OK` response code and a [x509Certifica
 GET https://graph.microsoft.com/v1.0/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/x509Certificate
 ```
 
-# [C#](#tab/csharp)
-[!INCLUDE [sample-code](../includes/snippets/csharp/get-x509certificateauthenticationmethodconfiguration-csharp-snippets.md)]
-[!INCLUDE [sdk-documentation](../includes/snippets/snippets-sdk-documentation-link.md)]
-
-# [Go](#tab/go)
-[!INCLUDE [sample-code](../includes/snippets/go/get-x509certificateauthenticationmethodconfiguration-go-snippets.md)]
-[!INCLUDE [sdk-documentation](../includes/snippets/snippets-sdk-documentation-link.md)]
-
-# [Java](#tab/java)
-[!INCLUDE [sample-code](../includes/snippets/java/get-x509certificateauthenticationmethodconfiguration-java-snippets.md)]
-[!INCLUDE [sdk-documentation](../includes/snippets/snippets-sdk-documentation-link.md)]
-
-# [JavaScript](#tab/javascript)
-[!INCLUDE [sample-code](../includes/snippets/javascript/get-x509certificateauthenticationmethodconfiguration-javascript-snippets.md)]
-[!INCLUDE [sdk-documentation](../includes/snippets/snippets-sdk-documentation-link.md)]
-
-# [PHP](#tab/php)
-[!INCLUDE [sample-code](../includes/snippets/php/get-x509certificateauthenticationmethodconfiguration-php-snippets.md)]
-[!INCLUDE [sdk-documentation](../includes/snippets/snippets-sdk-documentation-link.md)]
-
-# [PowerShell](#tab/powershell)
-[!INCLUDE [sample-code](../includes/snippets/powershell/get-x509certificateauthenticationmethodconfiguration-powershell-snippets.md)]
-[!INCLUDE [sdk-documentation](../includes/snippets/snippets-sdk-documentation-link.md)]
-
-# [Python](#tab/python)
-[!INCLUDE [sample-code](../includes/snippets/python/get-x509certificateauthenticationmethodconfiguration-python-snippets.md)]
-[!INCLUDE [sdk-documentation](../includes/snippets/snippets-sdk-documentation-link.md)]
-
----
-
 ### Response
 The following response object shows an x509CertificateAuthenticationMethodConfiguration with its default configuration.
 >**Note:** The response object shown here might be shortened for readability.
@@ -129,6 +97,18 @@ Content-Type: application/json
         "state": "disabled",
         "exemptedCertificateAuthoritiesSubjectKeyIdentifiers": []
     },
+    "certificateAuthorityScopes": [
+        {
+            "subjectKeyIdentifier": "aaaaaaaabbbbcccc111122222222222222333333",
+            "publicKeyInfrastructureIdentifier": "Contoso PKI",
+            "includeTargets": [
+            {
+                "id": "aaaaaaaa-bbbb-cccc-1111-222222222222",
+                "targetType": "group"
+            }
+            ]
+        } 
+    ],
     "includeTargets": [
         {
             "targetType": "group",
@@ -138,5 +118,4 @@ Content-Type: application/json
     ],
     "excludeTargets": []
 }
-```
-
+```
diff --git a/api-reference/v1.0/api/x509certificateauthenticationmethodconfiguration-update.md b/api-reference/v1.0/api/x509certificateauthenticationmethodconfiguration-update.md
@@ -43,14 +43,15 @@ The following properties can be updated.
 
 |Property|Type|Description|
 |:---|:---|:---|
-|state|authenticationMethodState|The possible values are: `enabled`, `disabled`. Inherited from [authenticationMethodConfiguration](../resources/authenticationmethodconfiguration.md).|
+|certificateAuthorityScopes|[x509CertificateAuthorityScope](../resources/x509certificateauthorityscope.md) collection|Defines configuration to allow a group of users to use certificates from specific issuing certificate authorities to successfully authenticate. |
 |certificateUserBindings|[x509CertificateUserBinding](../resources/x509certificateuserbinding.md) collection|Defines fields in the X.509 certificate that map to attributes of the Microsoft Entra user object in order to bind the certificate to the user. The **priority** of the object determines the order in which the binding is carried out. The first binding that matches will be used and the rest ignored. |
 |authenticationModeConfiguration|[x509CertificateAuthenticationModeConfiguration](../resources/x509certificateauthenticationmodeconfiguration.md)|Defines strong authentication configurations. This configuration includes the default authentication mode and the different rules for strong authentication bindings. |
 |crlValidationConfiguration|[x509CertificateCRLValidationConfiguration](../resources/x509certificatecrlvalidationconfiguration.md)|Determines whether certificate based authentication should fail if the issuing CA doesn't have a valid certificate revocation list configured. |
+|issuerHintsConfiguration|[x509CertificateIssuerHintsConfiguration](../resources/x509certificateissuerhintsconfiguration.md)|Determines whether issuer(CA) hints are sent back to the client side to filter the certificates shown in certificate picker. |
+|state|authenticationMethodState|The possible values are: `enabled`, `disabled`. Inherited from [authenticationMethodConfiguration](../resources/authenticationmethodconfiguration.md).|
 
 >**Note:** The `@odata.type` property with a value of `#microsoft.graph.x509CertificateAuthenticationMethodConfiguration` must be included in the body.
 
-
 ## Response
 If successful, this method returns a `204 No Content` response code. It doesn't return anything in the response body.
 
@@ -64,13 +65,12 @@ The following is an example of an update request with the following settings:
 + Defines multi-factor authentication as requirement.
 + Configures the binding rules for the strong authentication method against the rule type.
 
-
-# [HTTP](#tab/http)
 <!-- {
   "blockType": "request",
   "name": "update_x509certificateauthenticationmethodconfiguration"
 }
 -->
+
 ```http
 PATCH https://graph.microsoft.com/v1.0/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/x509Certificate
 Content-Type: application/json
@@ -101,6 +101,21 @@ Content-Type: application/json
             }
         ]
     },
+    "certificateAuthorityScopes": [
+        {
+            "subjectKeyIdentifier": "aaaaaaaabbbbcccc111122222222222222333333",
+            "publicKeyInfrastructureIdentifier": "Contoso PKI",
+            "includeTargets": [
+            {
+                "id": "aaaaaaaa-bbbb-cccc-1111-222222222222",
+                "targetType": "group"
+            }
+            ]
+        }
+    ],
+    "issuerHintsConfiguration": {
+        "state": "enabled"
+    },
     "crlValidationConfiguration": {
         "state": "disabled",
         "exemptedCertificateAuthoritiesSubjectKeyIdentifiers": []
@@ -115,36 +130,6 @@ Content-Type: application/json
 }
 ```
 
-# [C#](#tab/csharp)
-[!INCLUDE [sample-code](../includes/snippets/csharp/update-x509certificateauthenticationmethodconfiguration-csharp-snippets.md)]
-[!INCLUDE [sdk-documentation](../includes/snippets/snippets-sdk-documentation-link.md)]
-
-# [Go](#tab/go)
-[!INCLUDE [sample-code](../includes/snippets/go/update-x509certificateauthenticationmethodconfiguration-go-snippets.md)]
-[!INCLUDE [sdk-documentation](../includes/snippets/snippets-sdk-documentation-link.md)]
-
-# [Java](#tab/java)
-[!INCLUDE [sample-code](../includes/snippets/java/update-x509certificateauthenticationmethodconfiguration-java-snippets.md)]
-[!INCLUDE [sdk-documentation](../includes/snippets/snippets-sdk-documentation-link.md)]
-
-# [JavaScript](#tab/javascript)
-[!INCLUDE [sample-code](../includes/snippets/javascript/update-x509certificateauthenticationmethodconfiguration-javascript-snippets.md)]
-[!INCLUDE [sdk-documentation](../includes/snippets/snippets-sdk-documentation-link.md)]
-
-# [PHP](#tab/php)
-[!INCLUDE [sample-code](../includes/snippets/php/update-x509certificateauthenticationmethodconfiguration-php-snippets.md)]
-[!INCLUDE [sdk-documentation](../includes/snippets/snippets-sdk-documentation-link.md)]
-
-# [PowerShell](#tab/powershell)
-[!INCLUDE [sample-code](../includes/snippets/powershell/update-x509certificateauthenticationmethodconfiguration-powershell-snippets.md)]
-[!INCLUDE [sdk-documentation](../includes/snippets/snippets-sdk-documentation-link.md)]
-
-# [Python](#tab/python)
-[!INCLUDE [sample-code](../includes/snippets/python/update-x509certificateauthenticationmethodconfiguration-python-snippets.md)]
-[!INCLUDE [sdk-documentation](../includes/snippets/snippets-sdk-documentation-link.md)]
-
----
-
 ### Response
 <!-- {
   "blockType": "response"
diff --git a/api-reference/v1.0/resources/enums.md b/api-reference/v1.0/resources/enums.md
@@ -3,7 +3,7 @@ title: "Enum values"
 description: "Microsoft Graph enumeration values."
 ms.localizationpriority: medium
 ms.subservice: "non-product-specific"
-ms.date: 12/02/2025
+ms.date: 01/20/2026
 author: "MSGraphDocsvTeam"
 doc_type: enumPageType
 ms.custom: sfi-ropc-nochange
@@ -877,6 +877,14 @@ Namespace: microsoft.graph
 | policyOID |
 | unknownFutureValue |
 
+### x509CertificateIssuerHintsState values
+
+| Member |
+| ---- |
+| disabled |
+| enabled |
+| unknownFutureValue |
+
 ### x509CertificateCRLValidationConfigurationState values
 
 | Member |
diff --git a/api-reference/v1.0/resources/includetarget.md b/api-reference/v1.0/resources/includetarget.md
@@ -0,0 +1,42 @@
+---
+title: "includeTarget resource type"
+description: "Defines the users and groups that are included in a set of changes."
+author: "msft-poulomi"
+ms.localizationpriority: medium
+ms.subservice: "entra-sign-in"
+doc_type: resourcePageType
+ms.date: 12/09/2024
+---
+
+# includeTarget resource type
+
+Namespace: microsoft.graph
+
+Defines the users and groups that are included in a set of changes.
+
+## Properties
+
+|Property|Type|Description|
+|:---|:---|:---|
+|id|String|The ID of the entity targeted.|
+|targetType|authenticationMethodTargetType|The kind of entity targeted. The possible values are: `user`, `group`.|
+
+## Relationships
+
+None.
+
+## JSON representation
+
+The following JSON representation shows the resource type.
+<!-- {
+  "blockType": "resource",
+  "@odata.type": "microsoft.graph.includeTarget"
+}
+-->
+``` json
+{
+  "@odata.type": "#microsoft.graph.includeTarget",
+  "id": "String (identifier)",
+  "targetType": "String"
+}
+```
diff --git a/api-reference/v1.0/resources/x509certificateauthenticationmethodconfiguration.md b/api-reference/v1.0/resources/x509certificateauthenticationmethodconfiguration.md
@@ -30,19 +30,22 @@ Inherits from [authenticationMethodConfiguration](../resources/authenticationmet
 |Property|Type|Description|
 |:---|:---|:---|
 |authenticationModeConfiguration|[x509CertificateAuthenticationModeConfiguration](../resources/x509certificateauthenticationmodeconfiguration.md)|Defines strong authentication configurations. This configuration includes the default authentication mode and the different rules for strong authentication bindings. |
+|certificateAuthorityScopes|[x509CertificateAuthorityScope](../resources/x509certificateauthorityscope.md) collection|Defines configuration to allow a group of users to use certificates from specific issuing certificate authorities to successfully authenticate. |
 |certificateUserBindings|[x509CertificateUserBinding](../resources/x509certificateuserbinding.md) collection|Defines fields in the X.509 certificate that map to attributes of the Microsoft Entra user object in order to bind the certificate to the user. The **priority** of the object determines the order in which the binding is carried out. The first binding that matches will be used and the rest ignored. |
 |crlValidationConfiguration|[x509CertificateCRLValidationConfiguration](../resources/x509certificatecrlvalidationconfiguration.md)|Determines whether certificate based authentication should fail if the issuing CA doesn't have a valid certificate revocation list configured. |
 |excludeTargets|[excludeTarget](../resources/excludetarget.md) collection|Groups of users that are excluded from the policy.|
-|id|String|The identifier for the authentication method policy. The value is always `X509Certificate`. Inherited from
+|id|String|The identifier for the authentication method policy. The value is always `X509Certificate`. Inherited from [authenticationMethodConfiguration](../resources/authenticationmethodconfiguration.md). |
+|issuerHintsConfiguration|[x509CertificateIssuerHintsConfiguration](../resources/x509certificateissuerhintsconfiguration.md)|Determines whether issuer(CA) hints are sent back to the client side to filter the certificates shown in certificate picker. |
 |state|authenticationMethodState|The possible values are: `enabled`, `disabled`. Inherited from [authenticationMethodConfiguration](../resources/authenticationmethodconfiguration.md).|
 
 ## Relationships
+
 |Relationship|Type|Description|
 |:---|:---|:---|
 |includeTargets|[authenticationMethodTarget](../resources/authenticationmethodtarget.md) collection|A collection of groups that are enabled to use the authentication method.|
 
+## JSON representation
 The following JSON representation shows the resource type.
-The following is a JSON representation of the resource.
 <!-- {
   "blockType": "resource",
   "keyProperty": "id",
@@ -54,23 +57,31 @@ The following is a JSON representation of the resource.
 ``` json
 {
   "@odata.type": "#microsoft.graph.x509CertificateAuthenticationMethodConfiguration",
-  "authenticationModeConfiguration": {
-    "@odata.type": "microsoft.graph.x509CertificateAuthenticationModeConfiguration"
-  },
+  "id": "String (identifier)",
+  "state": "String",
+  "excludeTargets": [
+    {
+      "@odata.type": "microsoft.graph.excludeTarget"
+    }
+  ],
   "certificateUserBindings": [
     {
       "@odata.type": "microsoft.graph.x509CertificateUserBinding"
     }
   ],
-  "crlValidationConfiguration": {
-    "@odata.type": "microsoft.graph.x509CertificateCRLValidationConfiguration"
+  "authenticationModeConfiguration": {
+    "@odata.type": "microsoft.graph.x509CertificateAuthenticationModeConfiguration"
   },
-  "excludeTargets": [
+  "issuerHintsConfiguration": {
+    "@odata.type": "microsoft.graph.x509CertificateIssuerHintsConfiguration"
+  },
+  "certificateAuthorityScopes": [
     {
-      "@odata.type": "microsoft.graph.excludeTarget"
+      "@odata.type": "microsoft.graph.x509CertificateAuthorityScope"
     }
   ],
-  "id": "String (identifier)",
-  "state": "String"
+  "crlValidationConfiguration": {
+    "@odata.type": "microsoft.graph.x509CertificateCRLValidationConfiguration"
+  }
 }
 ```
diff --git a/api-reference/v1.0/resources/x509certificateauthorityscope.md b/api-reference/v1.0/resources/x509certificateauthorityscope.md
@@ -0,0 +1,47 @@
+---
+title: "x509CertificateAuthorityScope resource type"
+description: "Defines configuration to allow a group of users to use certificates from specific issuing certificate authorities to successfully authenticate. "
+author: "vimrang"
+ms.date: 12/09/2025
+ms.localizationpriority: medium
+ms.subservice: "entra-sign-in"
+doc_type: resourcePageType
+toc.title: X509 certificate
+toc.keywords: [ certificate-based authentication, CBA ]
+---
+
+# x509CertificateAuthorityScope resource type
+
+Namespace: microsoft.graph
+
+Defines configuration to allow a group of users to use certificates from specific issuing certificate authorities to successfully authenticate. Configured on the [x509CertificateAuthenticationMethodConfiguration resource type](../resources/x509CertificateAuthenticationMethodConfiguration.md).
+
+## Properties
+|Property|Type|Description|
+|:---|:---|:---|
+|includeTargets|[includeTarget](../resources/includetarget.md) collection|A collection of groups that are enabled to be in scope to use certificates issued by specific certificate authority.|
+|publicKeyInfrastructureIdentifier|String|Public Key Infrastructure container object under which the certificate authorities are stored in the Entra PKI based trust store.|
+|subjectKeyIdentifier|String|Subject Key Identifier that identifies the certificate authority uniquely.|
+
+## Relationships
+None.
+
+## JSON representation
+The following JSON representation shows the resource type.
+<!-- {
+  "blockType": "resource",
+  "@odata.type": "microsoft.graph.x509CertificateAuthorityScope"
+}
+-->
+``` json
+{
+    "@odata.type": "#microsoft.graph.x509CertificateAuthorityScope",
+    "subjectKeyIdentifier": "String",
+    "publicKeyInfrastructureIdentifier": "String",
+    "includeTargets": [
+    {
+        "@odata.type": "microsoft.graph.includeTarget"
+    }
+    ]
+}
+```
diff --git a/api-reference/v1.0/resources/x509certificatecrlvalidationconfiguration.md b/api-reference/v1.0/resources/x509certificatecrlvalidationconfiguration.md
@@ -5,14 +5,14 @@ author: "vimrang"
 ms.localizationpriority: medium
 ms.subservice: "entra-sign-in"
 doc_type: resourcePageType
-ms.date: 03/10/2025
+ms.date: 12/09/2025
 ---
 
 # x509CertificateCRLValidationConfiguration resource type
 
 Namespace: microsoft.graph
 
-Determines whether certificate-based authentication should fail if the issuing Certificate Authority (CA) doesn't have a valid certificate revocation list (CRL) configured. Includes the subject key identifier (SKI) of the CAs that should be exempted from CRL validation.
+Determines whether certificate-based authentication should fail if the issuing Certificate Authority (CA) doesn't have a valid certificate revocation list (CRL) configured. Includes the subject key identifier (SKI) of the CAs that should be exempted from CRL validation. Configured on the [x509CertificateAuthenticationMethodConfiguration resource type](../resources/x509CertificateAuthenticationMethodConfiguration.md).
 
 ## Properties
 |Property|Type|Description|
@@ -38,4 +38,4 @@ The following JSON representation shows the resource type.
   ],
   "state": "String"
 }
-```
+```
diff --git a/api-reference/v1.0/resources/x509certificateissuerhintsconfiguration.md b/api-reference/v1.0/resources/x509certificateissuerhintsconfiguration.md
diff --git a/changelog/Microsoft.AuthenticationMethodsPolicy.json b/changelog/Microsoft.AuthenticationMethodsPolicy.json
diff --git a/concepts/whats-new-overview.md b/concepts/whats-new-overview.md
