AADAuthenticationMethodPolicy¶

Parameters¶

Parameter	Attribute	DataType	Description	Allowed Values
Description	Write	String	A description of the policy.
DisplayName	Key	String	The name of the policy.
PolicyMigrationState	Write	String	The state of migration of the authentication methods policy from the legacy multifactor authentication and self-service password reset (SSPR) policies. The possible values are: premigration - means the authentication methods policy is used for authentication only, legacy policies are respected. migrationInProgress - means the authentication methods policy is used for both authenication and SSPR, legacy policies are respected. migrationComplete - means the authentication methods policy is used for authentication and SSPR, legacy policies are ignored. unknownFutureValue - Evolvable enumeration sentinel value. Do not use.	`preMigration`, `migrationInProgress`, `migrationComplete`, `unknownFutureValue`
PolicyVersion	Write	String	The version of the policy in use.
ReconfirmationInDays	Write	UInt32	Days before the user will be asked to reconfirm their method.
RegistrationEnforcement	Write	MSFT_MicrosoftGraphregistrationEnforcement	Enforce registration at sign-in time. This property can be used to remind users to set up targeted authentication methods.
ReportSuspiciousActivitySettings	Write	MSFT_MicrosoftGraphreportSuspiciousActivitySettings	Allows users to report suspicious activities if they receive an authentication request that they did not initiate.
SystemCredentialPreferences	Write	MSFT_MicrosoftGraphsystemCredentialPreferences	Prompt users with their most-preferred credential for multifactor authentication.
Id	Write	String	The unique identifier for an entity. Read-only.
Ensure	Write	String	Present ensures the policy exists, absent ensures it is removed.	`Present`
Credential	Write	PSCredential	Credentials of the Admin
ApplicationId	Write	String	Id of the Azure Active Directory application to authenticate with.
TenantId	Write	String	Id of the Azure Active Directory tenant used for authentication.
ApplicationSecret	Write	PSCredential	Secret of the Azure Active Directory tenant used for authentication.
CertificateThumbprint	Write	String	Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.
ManagedIdentity	Write	Boolean	Managed ID being used for authentication.
AccessTokens	Write	StringArray[]	Access token used for authentication.

MSFT_MicrosoftGraphRegistrationEnforcement¶

Parameters¶

Parameter	Attribute	DataType	Description	Allowed Values
AuthenticationMethodsRegistrationCampaign	Write	MSFT_MicrosoftGraphAuthenticationMethodsRegistrationCampaign	Run campaigns to remind users to setup targeted authentication methods.

MSFT_MicrosoftGraphAuthenticationMethodsRegistrationCampaign¶

Parameters¶

Parameter	Attribute	DataType	Description	Allowed Values
ExcludeTargets	Write	MSFT_MicrosoftGraphExcludeTarget[]	Users and groups of users that are excluded from being prompted to set up the authentication method.
IncludeTargets	Write	MSFT_MicrosoftGraphAuthenticationMethodsRegistrationCampaignIncludeTarget[]	Users and groups of users that are prompted to set up the authentication method.
SnoozeDurationInDays	Write	UInt32	Specifies the number of days that the user sees a prompt again if they select 'Not now' and snoozes the prompt. Minimum 0 days. Maximum: 14 days. If the value is '0' The user is prompted during every MFA attempt.
State	Write	String	Enable or disable the feature. Possible values are: default, enabled, disabled, unknownFutureValue. The default value is used when the configuration hasn't been explicitly set and uses the default behavior of Azure AD for the setting. The default value is disabled.	`default`, `enabled`, `disabled`, `unknownFutureValue`

MSFT_AADAuthenticationMethodPolicyExcludeTarget¶

Parameters¶

Parameter	Attribute	DataType	Description	Allowed Values
Id	Write	String	The object identifier of an Azure AD group.
TargetType	Write	String	The type of the authentication method target. Possible values are: group and unknownFutureValue.	`user`, `group`, `unknownFutureValue`

MSFT_AADAuthenticationMethodPolicyIncludeTarget¶

Parameters¶

Parameter	Attribute	DataType	Description	Allowed Values
Id	Write	String	The ID of the entity targeted.
TargetType	Write	String	The kind of entity targeted. Possible values are: user, group.	`user`, `group`, `unknownFutureValue`

MSFT_MicrosoftGraphExcludeTarget¶

Parameters¶

Parameter	Attribute	DataType	Description	Allowed Values
Id	Write	String	The object identifier of an Azure AD user or group.
TargetType	Write	String	The type of the authentication method target. Possible values are: user, group, unknownFutureValue.	`user`, `group`, `unknownFutureValue`

MSFT_MicrosoftGraphAuthenticationMethodsRegistrationCampaignIncludeTarget¶

Parameters¶

Parameter	Attribute	DataType	Description	Allowed Values
Id	Write	String	The object identifier of an Azure AD user or group.
TargetedAuthenticationMethod	Write	String	The authentication method that the user is prompted to register. The value must be microsoftAuthenticator.
TargetType	Write	String	The type of the authentication method target. Possible values are: user, group, unknownFutureValue.	`user`, `group`, `unknownFutureValue`

MSFT_MicrosoftGraphSystemCredentialPreferences¶

Parameters¶

Parameter	Attribute	DataType	Description	Allowed Values
ExcludeTargets	Write	MSFT_AADAuthenticationMethodPolicyExcludeTarget[]	Users and groups excluded from the preferred authentication method experience of the system.
IncludeTargets	Write	MSFT_AADAuthenticationMethodPolicyIncludeTarget[]	Users and groups included in the preferred authentication method experience of the system.
State	Write	String	Indicates whether the feature is enabled or disabled. Possible values are: default, enabled, disabled, unknownFutureValue. The default value is used when the configuration hasn't been explicitly set, and uses the default behavior of Azure Active Directory for the setting. The default value is disabled.	`default`, `enabled`, `disabled`, `unknownFutureValue`

MSFT_MicrosoftGraphReportSuspiciousActivitySettings¶

Parameters¶

Parameter	Attribute	DataType	Description	Allowed Values
IncludeTarget	Write	MSFT_AADAuthenticationMethodPolicyIncludeTarget	Group IDs in scope for report suspicious activity.
State	Write	String	Specifies the state of the reportSuspiciousActivitySettings object.	`default`, `enabled`, `disabled`, `unknownFutureValue`
VoiceReportingCode	Write	UInt32	Specifies the number the user enters on their phone to report the MFA prompt as suspicious.

Description¶

Azure AD Authentication Method Policy

Permissions¶

Microsoft Graph¶

To authenticate with the Microsoft Graph API, this resource required the following permissions:

Delegated permissions¶

Read
- Policy.ReadWrite.AuthenticationMethod
Update
- Policy.ReadWrite.AuthenticationMethod

Application permissions¶

Read
- Policy.ReadWrite.AuthenticationMethod
Update
- Policy.ReadWrite.AuthenticationMethod

Examples¶

Example 1¶

This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline.

Configuration Example
{
    param(
        [Parameter()]
        [System.String]
        $ApplicationId,

        [Parameter()]
        [System.String]
        $TenantId,

        [Parameter()]
        [System.String]
        $CertificateThumbprint
    )
    Import-DscResource -ModuleName Microsoft365DSC

    Node localhost
    {
        AADAuthenticationMethodPolicy "AADAuthenticationMethodPolicy-Authentication Methods Policy"
        {
            DisplayName             = "Authentication Methods Policy";
            Ensure                  = "Present";
            Id                      = "authenticationMethodsPolicy";
            PolicyMigrationState    = "migrationInProgress";
            PolicyVersion           = "1.5";
            RegistrationEnforcement = MSFT_MicrosoftGraphregistrationEnforcement{
                AuthenticationMethodsRegistrationCampaign = MSFT_MicrosoftGraphAuthenticationMethodsRegistrationCampaign{
                    SnoozeDurationInDays = (Get-Random -Minimum 1 -Maximum 14)
                    IncludeTargets = @(
                        MSFT_MicrosoftGraphAuthenticationMethodsRegistrationCampaignIncludeTarget{
                            TargetedAuthenticationMethod = 'microsoftAuthenticator'
                            TargetType = 'group'
                            Id = 'all_users'
                        }
                    )
                    State = 'default'
                }
            };
            ReportSuspiciousActivitySettings = MSFT_MicrosoftGraphreportSuspiciousActivitySettings{
                VoiceReportingCode = 0
                IncludeTarget = MSFT_AADAuthenticationMethodPolicyIncludeTarget{
                    Id = 'all_users'
                    TargetType = 'group'
                }
                State = 'default'
            };
            ApplicationId         = $ApplicationId
            TenantId              = $TenantId
            CertificateThumbprint = $CertificateThumbprint
        }
    }
}