onPasswordMigrationCustomExtensionHandler resource type

Namespace: microsoft.graph

Important

APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.

Represents a handler that invokes a custom authentication extension API to validate user credentials against a legacy authentication system during the sign-in process. This handler enables Just-In-Time (JIT) migration scenarios where passwords can't be exported from the legacy system.

When triggered, this handler:

Checks if the user requires migration based on the specified migrationPropertyId custom attribute
If migration is needed, calls the configured custom extension API with the user's credentials
Upon successful validation, persists the credentials in Microsoft Entra ID and updates the migration status

Inherits from onPasswordSubmitHandler.

Properties

Property	Type	Description
configuration	customExtensionOverwriteConfiguration	Configuration that overrides the default settings from the referenced custom extension, such as timeout and retry values. Optional.
migrationPropertyId	String	The name of the custom extension attribute that indicates whether a user requires migration. This property must reference a valid custom attribute on the user object (for example, `extension_<appId>_requiresMigration`). Required.

Relationships

Relationship	Type	Description
customExtension	onPasswordSubmitCustomExtension	Reference to the custom authentication extension that will be invoked to validate the user's password against the legacy system.

JSON representation

The following JSON representation shows the resource type.

{
  "@odata.type": "#microsoft.graph.onPasswordMigrationCustomExtensionHandler",
  "configuration": {
    "@odata.type": "microsoft.graph.customExtensionOverwriteConfiguration"
  },
  "migrationPropertyId": "String"
}

Feedback

Was this page helpful?

Last updated on 2026-02-04