Merge pull request #28378 from microsoftgraph/diadabal-ops-ga

Promote OnPasswordSubmit event to v1.0

Author: FaithOmbongi

api-reference/v1.0/api/authenticationeventlistener-delete.md

@@ -22,6 +22,7 @@ Delete an [authenticationEventListener](../resources/authenticationeventlistener
 - [onAttributeCollectionSubmitListener](../resources/onattributecollectionsubmitlistener.md) resource type
 - [onEmailOtpSendListener](../resources/onemailotpsendlistener.md) resource type
 - [onFraudProtectionLoadStartListener](../resources/onfraudprotectionloadstartlistener.md) resource type
+- [onPasswordSubmitListener](../resources/onpasswordsubmitlistener.md) resource type
 
 [!INCLUDE [national-cloud-support](../../includes/global-us.md)]
 

api-reference/v1.0/api/authenticationeventlistener-get.md

@@ -22,6 +22,7 @@ Read the properties and relationships of an [authenticationEventListener](../res
 - [onAttributeCollectionSubmitListener](../resources/onattributecollectionsubmitlistener.md) resource type
 - [onEmailOtpSendListener](../resources/onemailotpsendlistener.md) resource type
 - [onFraudProtectionLoadStartListener](../resources/onfraudprotectionloadstartlistener.md) resource type
+- [onPasswordSubmitListener](../resources/onpasswordsubmitlistener.md) resource type
 
 [!INCLUDE [national-cloud-support](../../includes/global-us.md)]
 

api-reference/v1.0/api/authenticationeventlistener-update.md

@@ -22,6 +22,7 @@ Update the properties of an [authenticationEventListener](../resources/authentic
 - [onAttributeCollectionSubmitListener](../resources/onattributecollectionsubmitlistener.md) resource type
 - [onEmailOtpSendListener](../resources/onemailotpsendlistener.md) resource type
 - [onFraudProtectionLoadStartListener](../resources/onfraudprotectionloadstartlistener.md) resource type
+- [onPasswordSubmitListener](../resources/onpasswordsubmitlistener.md) resource type
 
 [!INCLUDE [national-cloud-support](../../includes/global-us.md)]
 
@@ -58,8 +59,7 @@ You must specify the **@odata.type** property and the value of the [authenticati
 |:---|:---|:---|
 |conditions|[authenticationConditions](../resources/authenticationconditions.md)|The conditions on which this authenticationEventListener should trigger. Optional.|
 |displayName|String|The display name of the authentication event listener policy. Optional.|
-|handler|[onTokenIssuanceStartHandler](../resources/ontokenissuancestarthandler.md) &#124; [onFraudProtectionLoadStartHandler](../resources/onfraudprotectionloadstarthandler.md)|The handler to invoke when conditions are met. The type of handler depends on the listener type:<br/>- For **onTokenIssuanceStartListener**, use [onTokenIssuanceStartHandler](../resources/ontokenissuancestarthandler.md).<br/>- For **onFraudProtectionLoadStartListener**, use [onFraudProtectionLoadStartHandler](../resources/onfraudprotectionloadstarthandler.md).|
-
+|handler|[onTokenIssuanceStartHandler](../resources/ontokenissuancestarthandler.md) or [onFraudProtectionLoadStartHandler](../resources/onfraudprotectionloadstarthandler.md) or [onPasswordSubmitHandler](../resources/onpasswordsubmithandler.md)|The handler to invoke when conditions are met. For **onTokenIssuanceStartListener**, set to [onTokenIssuanceStartHandler](../resources/ontokenissuancestarthandler.md). For **onFraudProtectionLoadStartListener**, set to [onFraudProtectionLoadStartHandler](../resources/onfraudprotectionloadstarthandler.md). For **onPasswordSubmitListener**, set to [onPasswordSubmitHandler](../resources/onpasswordsubmithandler.md).|
 ## Response
 
 If successful, this method returns a `204 No Content` response code.
@@ -77,7 +77,7 @@ The following example shows a request to update an authentication event listener
   "name": "update_authenticationeventlistener"
 }
 -->
-``` http
+```msgraph-interactive
 PATCH https://graph.microsoft.com/v1.0/identity/authenticationEventListeners/990d94e5-cc8f-4c4b-97b4-27e2678aac28
 Content-Type: application/json
 
@@ -147,7 +147,7 @@ The following example shows a request to add an application to an authentication
   "name": "update_authenticationeventlistener_2"
 }
 -->
-``` http
+```msgraph-interactive
 POST https://graph.microsoft.com/v1.0/identity/authenticationEventListeners/0313cc37-d421-421d-857b-87804d61e33e/conditions/applications/includeApplications
 Content-Type: application/json
 

api-reference/v1.0/api/identitycontainer-list-authenticationeventlisteners.md

@@ -22,6 +22,7 @@ Get a list of the [authenticationEventListener](../resources/authenticationevent
 - [onAttributeCollectionSubmitListener](../resources/onattributecollectionsubmitlistener.md)
 - [onEmailOtpSendListener](../resources/onemailotpsendlistener.md)
 - [onFraudProtectionLoadStartListener](../resources/onfraudprotectionloadstartlistener.md)
+- [onPasswordSubmitListener](../resources/onpasswordsubmitlistener.md)
 
 [!INCLUDE [national-cloud-support](../../includes/global-us.md)]
 

api-reference/v1.0/api/identitycontainer-post-authenticationeventlisteners.md

@@ -22,6 +22,7 @@ Create a new [authenticationEventListener](../resources/authenticationeventliste
 - [onAttributeCollectionSubmitListener](../resources/onattributecollectionsubmitlistener.md)
 - [onEmailOtpSendListener](../resources/onemailotpsendlistener.md)
 - [onFraudProtectionLoadStartListener](../resources/onfraudprotectionloadstartlistener.md) resource type
+- [onPasswordSubmitListener](../resources/onpasswordsubmitlistener.md) resource type
 
 [!INCLUDE [national-cloud-support](../../includes/global-us.md)]
 
@@ -59,6 +60,7 @@ You can specify the following properties when creating an **authenticationEventL
 |conditions|[authenticationConditions](../resources/authenticationconditions.md)|The conditions on which this authenticationEventListener should trigger. Optional.|
 |displayName|String|The display name of the authentication event listener policy. Optional.|
 |handler|[onTokenIssuanceStartHandler](../resources/ontokenissuancestarthandler.md) or [onFraudProtectionLoadStartHandler](../resources/onfraudprotectionloadstarthandler.md)|The handler to invoke when conditions are met. For **onTokenIssuanceStartListener**, set to [onTokenIssuanceStartHandler](../resources/ontokenissuancestarthandler.md). For **onFraudProtectionLoadStartListener**, set to [onFraudProtectionLoadStartHandler](../resources/onfraudprotectionloadstarthandler.md).|
+|handler|[onPasswordSubmitHandler](../resources/onpasswordsubmithandler.md)|The handler to invoke when conditions are met. Can be set for the **onPasswordSubmitListener** listener type.|
 
 ## Response
 
@@ -385,3 +387,79 @@ Content-Type: application/json
   }
 }
 ```
+
+### Example 4: Create an onPasswordSubmitListener object
+
+#### Request
+
+The following example shows a request.
+
+<!-- {
+  "blockType": "request",
+  "name": "create_authenticationeventlistener_onpasswordsubmitlistener"
+}
+-->
+```msgraph-interactive
+POST https://graph.microsoft.com/v1.0/identity/authenticationEventListeners
+Content-Type: application/json
+
+{
+  "@odata.type": "#microsoft.graph.onPasswordSubmitListener",
+  "displayName": "JIT migration listener",
+  "conditions": {
+    "applications": {
+      "includeAllApplications": false,
+      "includeApplications": [
+        {
+          "appId": "00011111-aaaa-2222-bbbb-3333cccc4444"
+        }
+      ]
+    }
+  },
+  "handler": {
+    "@odata.type": "#microsoft.graph.onPasswordMigrationCustomExtensionHandler",
+    "migrationPropertyId": "extension_b7b1c57b532f40b8b5ed4b7a7ba67401_requiresMigration",
+    "customExtension": {
+      "id": "6fc5012e-7665-43d6-9708-4370863f4e6e"
+    }
+  }
+}
+```
+
+#### Response
+
+The following example shows the response.
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+  "blockType": "response",
+  "truncated": true,
+  "@odata.type": "microsoft.graph.authenticationEventListener"
+}
+-->
+``` http
+HTTP/1.1 201 Created
+Content-Type: application/json
+
+{
+  "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#identity/authenticationEventListeners/$entity",
+  "@odata.type": "#microsoft.graph.onPasswordSubmitListener",
+  "id": "4a6cb5f0-1234-5678-abcd-ef9012345678",
+  "displayName": "JIT migration listener",
+  "authenticationEventsFlowId": null,
+  "conditions": {
+    "applications": {
+      "includeAllApplications": false,
+      "includeApplications": [
+        {
+          "appId": "00011111-aaaa-2222-bbbb-3333cccc4444"
+        }
+      ]
+    }
+  },
+  "handler": {
+    "@odata.type": "#microsoft.graph.onPasswordMigrationCustomExtensionHandler",
+    "migrationPropertyId": "extension_b7b1c57b532f40b8b5ed4b7a7ba67401_requiresMigration",
+    "configuration": null
+  }
+}
+```

api-reference/v1.0/api/identitycontainer-post-customauthenticationextensions.md

@@ -18,6 +18,7 @@ Create a new [customAuthenticationExtension](../resources/customauthenticationex
 - [onAttributeCollectionStartCustomExtension](../resources/onattributecollectionstartcustomextension.md) resource type.
 - [onAttributeCollectionSubmitCustomExtension](../resources/onattributecollectionsubmitcustomextension.md) resource type.
 - [onOtpSendCustomExtension](../resources/onOtpSendCustomExtension.md) resource type.
+- [onPasswordSubmitCustomExtension](../resources/onpasswordsubmitcustomextension.md) resource type.
 
 > [!NOTE]
 >
@@ -501,3 +502,74 @@ Content-Type: application/json
 }
 ```
 
+
+
+### Example 5: Create an onPasswordSubmitCustomExtension object
+
+#### Request
+
+The following example shows a request.
+
+<!-- {
+  "blockType": "request",
+  "name": "create_customauthenticationextension_onpasswordsubmitcustomextension"
+}
+-->
+```msgraph-interactive
+POST https://graph.microsoft.com/v1.0/identity/customAuthenticationExtensions
+Content-Type: application/json
+
+{
+  "@odata.type": "#microsoft.graph.onPasswordSubmitCustomExtension",
+  "displayName": "Legacy password validator",
+  "description": "Validates passwords against a legacy authentication system for JIT migration",
+  "endpointConfiguration": {
+    "@odata.type": "#microsoft.graph.httpRequestEndpoint",
+    "targetUrl": "https://api.contoso.com/passwordvalidation"
+  },
+  "authenticationConfiguration": {
+    "@odata.type": "#microsoft.graph.azureAdTokenAuthentication",
+    "resourceId": "api://api.contoso.com/passwordvalidation"
+  },
+  "clientConfiguration": {
+    "timeoutInMilliseconds": 2000,
+    "maximumRetries": 1
+  }
+}
+```
+
+#### Response
+
+The following example shows the response.
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+  "blockType": "response",
+  "truncated": true,
+  "@odata.type": "microsoft.graph.customAuthenticationExtension"
+}
+-->
+``` http
+HTTP/1.1 201 Created
+Content-Type: application/json
+
+{
+  "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#identity/customAuthenticationExtensions/$entity",
+  "@odata.type": "#microsoft.graph.onPasswordSubmitCustomExtension",
+  "id": "6fc5012e-7665-43d6-9708-4370863f4e6e",
+  "displayName": "Legacy password validator",
+  "description": "Validates passwords against a legacy authentication system for JIT migration",
+  "behaviorOnError": null,
+  "authenticationConfiguration": {
+    "@odata.type": "#microsoft.graph.azureAdTokenAuthentication",
+    "resourceId": "api://api.contoso.com/passwordvalidation"
+  },
+  "clientConfiguration": {
+    "timeoutInMilliseconds": 2000,
+    "maximumRetries": 1
+  },
+  "endpointConfiguration": {
+    "@odata.type": "#microsoft.graph.httpRequestEndpoint",
+    "targetUrl": "https://api.contoso.com/passwordvalidation"
+  }
+}
+```

api-reference/v1.0/resources/authenticationeventlistener.md

@@ -23,6 +23,7 @@ To customize the authentication process, listeners can be registered which speci
 - [onAttributeCollectionSubmitListener](../resources/onattributecollectionsubmitlistener.md) resource type
 - [onEmailOtpSendListener](../resources/onemailotpsendlistener.md) resource type
 - [onFraudProtectionLoadStartListener](../resources/onfraudprotectionloadstartlistener.md) resource type
+- [onPasswordSubmitListener](../resources/onpasswordsubmitlistener.md) resource type
 
 > [!NOTE]
 >

api-reference/v1.0/resources/customauthenticationextension.md

@@ -18,6 +18,7 @@ Custom authentication extensions define interactions with external systems durin
 - [onAttributeCollectionStartCustomExtension](../resources/onattributecollectionstartcustomextension.md) resource type.
 - [onAttributeCollectionSubmitCustomExtension](../resources/onattributecollectionsubmitcustomextension.md) resource type.
 - [onOtpSendCustomExtension](../resources/onotpsendcustomextension.md) resource type.
+- [onPasswordSubmitCustomExtension](../resources/onpasswordsubmitcustomextension.md) resource type.
 
 Inherits from [customCalloutExtension](../resources/customcalloutextension.md).
 

api-reference/v1.0/resources/onpasswordmigrationcustomextensionhandler.md

@@ -0,0 +1,51 @@
+---
+title: "onPasswordMigrationCustomExtensionHandler resource type"
+description: "Represents a handler that invokes a custom authentication extension for password validation during Just-In-Time user migration."
+author: "diadabal"
+ms.date: 03/05/2026
+ms.localizationpriority: medium
+ms.subservice: "entra-sign-in"
+doc_type: resourcePageType
+---
+
+# onPasswordMigrationCustomExtensionHandler resource type
+
+Namespace: microsoft.graph
+
+Represents a handler that invokes a custom authentication extension API to validate user credentials against a legacy authentication system during the sign-in process. This handler enables Just-In-Time (JIT) migration scenarios where passwords can't be exported from the legacy system.
+
+When triggered, this handler:
+1. Checks if the user requires migration based on the specified **migrationPropertyI** custom attribute
+2. If migration is needed, calls the configured custom extension API with the user's credentials
+3. Upon successful validation, persists the credentials in Microsoft Entra ID and updates the migration status
+
+Inherits from [onPasswordSubmitHandler](../resources/onpasswordsubmithandler.md).
+
+## Properties
+|Property|Type|Description|
+|:---|:---|:---|
+|configuration|[customExtensionOverwriteConfiguration](../resources/customextensionoverwriteconfiguration.md)|Configuration that overrides the default settings from the referenced custom extension, such as timeout and retry values. Optional.|
+|migrationPropertyId|String|The name of the custom extension attribute that indicates whether a user requires migration. This property must reference a valid custom attribute on the user object (for example, `extension_<appId>_requiresMigration`). Required.|
+
+## Relationships
+|Relationship|Type|Description|
+|:---|:---|:---|
+|customExtension|[onPasswordSubmitCustomExtension](../resources/onpasswordsubmitcustomextension.md)|Reference to the custom authentication extension that will be invoked to validate the user's password against the legacy system.|
+
+## JSON representation
+The following JSON representation shows the resource type.
+<!-- {
+  "blockType": "resource",
+  "@odata.type": "microsoft.graph.onPasswordMigrationCustomExtensionHandler"
+}
+-->
+``` json
+{
+  "@odata.type": "#microsoft.graph.onPasswordMigrationCustomExtensionHandler",
+  "configuration": {
+    "@odata.type": "microsoft.graph.customExtensionOverwriteConfiguration"
+  },
+  "migrationPropertyId": "String"
+}
+```
+

api-reference/v1.0/resources/onpasswordsubmitcustomextension.md

@@ -0,0 +1,72 @@
+---
+title: "onPasswordSubmitCustomExtension resource type"
+description: "Represents a custom authentication extension for the onPasswordSubmit event, used for Just-In-Time migration from legacy authentication providers."
+author: "diadabal"
+ms.date: 03/05/2026
+ms.localizationpriority: medium
+ms.subservice: "entra-sign-in"
+doc_type: resourcePageType
+---
+
+# onPasswordSubmitCustomExtension resource type
+
+Namespace: microsoft.graph
+
+Represents a custom authentication extension for the **onPasswordSubmit** event. This extension enables organizations to validate user credentials against legacy authentication systems during the sign-in process, facilitating Just-In-Time (JIT) migration scenarios where passwords can't be exported from the legacy system.
+
+When a user attempts to sign in, this extension calls a customer-provided API endpoint to validate the password against the legacy system. Upon successful validation, the user's credentials are persisted in Microsoft Entra ID, completing the migration for that user.
+
+Inherits from [customAuthenticationExtension](../resources/customauthenticationextension.md).
+
+## Methods
+None.
+
+For the list of API operations for managing this resource type, see the [customAuthenticationExtension](../resources/customauthenticationextension.md) resource type.
+
+## Properties
+|Property|Type|Description|
+|:---|:---|:---|
+|authenticationConfiguration|[customExtensionAuthenticationConfiguration](../resources/customextensionauthenticationconfiguration.md)|Configuration for securing the API call to the external system. Inherited from [customAuthenticationExtension](../resources/customauthenticationextension.md).|
+|behaviorOnError|[customExtensionBehaviorOnError](../resources/customextensionbehavioronerror.md)|Error handling behavior if the external API fails or is unreachable. Inherited from [customAuthenticationExtension](../resources/customauthenticationextension.md).|
+|clientConfiguration|[customExtensionClientConfiguration](../resources/customextensionclientconfiguration.md)|HTTP client configuration including timeout and retry settings. Inherited from [customAuthenticationExtension](../resources/customauthenticationextension.md).|
+|description|String|Description of the custom authentication extension. Inherited from [customAuthenticationExtension](../resources/customauthenticationextension.md).|
+|displayName|String|Display name for the custom authentication extension. Inherited from [customAuthenticationExtension](../resources/customauthenticationextension.md).|
+|endpointConfiguration|[customExtensionEndpointConfiguration](../resources/customextensionendpointconfiguration.md)|HTTP endpoint configuration for the external API. Inherited from [customAuthenticationExtension](../resources/customauthenticationextension.md).|
+|id|String|Unique identifier for the custom authentication extension. Inherited from [customAuthenticationExtension](../resources/customauthenticationextension.md).|
+
+## Relationships
+None.
+
+## JSON representation
+The following JSON representation shows the resource type.
+<!-- {
+  "blockType": "resource",
+  "keyProperty": "id",
+  "@odata.type": "microsoft.graph.onPasswordSubmitCustomExtension",
+  "baseType": "microsoft.graph.customAuthenticationExtension",
+  "openType": false
+}
+-->
+``` json
+{
+  "@odata.type": "#microsoft.graph.onPasswordSubmitCustomExtension",
+  "id": "String (identifier)",
+  "displayName": "String",
+  "description": "String",
+  "endpointConfiguration": {
+    "@odata.type": "microsoft.graph.httpRequestEndpoint",
+    "targetUrl": "String"
+  },
+  "authenticationConfiguration": {
+    "@odata.type": "microsoft.graph.azureAdTokenAuthentication",
+    "resourceId": "String"
+  },
+  "clientConfiguration": {
+    "@odata.type": "microsoft.graph.customExtensionClientConfiguration"
+  },
+  "behaviorOnError": {
+    "@odata.type": "microsoft.graph.customExtensionBehaviorOnError"
+  }
+}
+```
+