AADAuthenticationMethodPolicyAuthenticator

Parameters

Parameter Attribute DataType Description Allowed Values
FeatureSettings Write MSFT_MicrosoftGraphMicrosoftAuthenticatorFeatureSettings A collection of Microsoft Authenticator settings such as number matching and location context, and whether they are enabled for all users or specific users only.
IsSoftwareOathEnabled Write Boolean true if users can use the OTP code generated by the Microsoft Authenticator app, false otherwise.
ExcludeTargets Write MSFT_AADAuthenticationMethodPolicyAuthenticatorExcludeTarget[] Displayname of the groups of users that are excluded from a policy.
IncludeTargets Write MSFT_AADAuthenticationMethodPolicyAuthenticatorIncludeTarget[] Displayname of the groups of users that are included from a policy.
State Write String The state of the policy. Possible values are: enabled, disabled. enabled, disabled
Id Key String The unique identifier for an entity. Read-only.
Ensure Write String Present ensures the policy exists, absent ensures it is removed. Present, Absent
Credential Write PSCredential Credentials of the Admin
ApplicationId Write String Id of the Azure Active Directory application to authenticate with.
TenantId Write String Id of the Azure Active Directory tenant used for authentication.
ApplicationSecret Write PSCredential Secret of the Azure Active Directory tenant used for authentication.
CertificateThumbprint Write String Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.
ManagedIdentity Write Boolean Managed ID being used for authentication.
AccessTokens Write StringArray[] Access token used for authentication.

MSFT_MicrosoftGraphMicrosoftAuthenticatorFeatureSettings

Parameters

Parameter Attribute DataType Description Allowed Values
CompanionAppAllowedState Write MSFT_MicrosoftGraphAuthenticationMethodFeatureConfiguration Determines whether users will be able to approve push notifications on other Microsoft applications such as Outlook Mobile.
DisplayAppInformationRequiredState Write MSFT_MicrosoftGraphAuthenticationMethodFeatureConfiguration Determines whether the user's Authenticator app will show them the client app they are signing into.
DisplayLocationInformationRequiredState Write MSFT_MicrosoftGraphAuthenticationMethodFeatureConfiguration Determines whether the user's Authenticator app will show them the geographic location of where the authentication request originated from.
NumberMatchingRequiredState Write MSFT_MicrosoftGraphAuthenticationMethodFeatureConfiguration Specifies whether the user needs to enter a number in the Authenticator app from the login screen to complete their login. Value is ignored for phone sign-in notifications.

MSFT_MicrosoftGraphAuthenticationMethodFeatureConfiguration

Parameters

Parameter Attribute DataType Description Allowed Values
ExcludeTarget Write MSFT_AADAuthenticationMethodPolicyAuthenticatorFeatureTarget A single entity that's excluded from using this feature.
IncludeTarget Write MSFT_AADAuthenticationMethodPolicyAuthenticatorFeatureTarget A single entity that's allowed to use this feature.
State Write String Enable or disable the feature. Possible values are: default, enabled, disabled, unknownFutureValue. The default value is used when the configuration hasn't been explicitly set and uses the default behavior of Azure AD for the setting. The default value is disabled. default, enabled, disabled, unknownFutureValue

MSFT_AADAuthenticationMethodPolicyAuthenticatorFeatureTarget

Parameters

Parameter Attribute DataType Description Allowed Values
Id Write String The ID of the entity that's targeted in the include or exclude rule or all_users to target all users.
TargetType Write String The kind of entity that's targeted. The possible values are: group, administrativeUnit, role, unknownFutureValue. group, administrativeUnit, role, unknownFutureValue

MSFT_AADAuthenticationMethodPolicyAuthenticatorExcludeTarget

Parameters

Parameter Attribute DataType Description Allowed Values
Id Write String The object identifier of an Azure AD group.
TargetType Write String The type of the authentication method target. Possible values are: group and unknownFutureValue. user, group, unknownFutureValue

MSFT_AADAuthenticationMethodPolicyAuthenticatorIncludeTarget

Parameters

Parameter Attribute DataType Description Allowed Values
Id Write String The object identifier of an Azure AD group.
TargetType Write String The type of the authentication method target. Possible values are: group and unknownFutureValue. user, group, unknownFutureValue

Description

Azure AD Authentication Method Policy Authenticator

Permissions

Microsoft Graph

To authenticate with the Microsoft Graph API, this resource required the following permissions:

Delegated permissions

  • Read

    • Policy.ReadWrite.AuthenticationMethod, Policy.Read.All
  • Update

    • Policy.ReadWrite.AuthenticationMethod, Policy.Read.All

Application permissions

  • Read

    • Policy.ReadWrite.AuthenticationMethod, Policy.Read.All
  • Update

    • Policy.ReadWrite.AuthenticationMethod, Policy.Read.All

Examples

Example 1

This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline.

Configuration Example
{
    param(
        [Parameter()]
        [System.String]
        $ApplicationId,

        [Parameter()]
        [System.String]
        $TenantId,

        [Parameter()]
        [System.String]
        $CertificateThumbprint
    )
    Import-DscResource -ModuleName Microsoft365DSC

    Node localhost
    {
        AADAuthenticationMethodPolicyAuthenticator "AADAuthenticationMethodPolicyAuthenticator-MicrosoftAuthenticator"
        {
            ApplicationId         = $ApplicationId
            TenantId              = $TenantId
            CertificateThumbprint = $CertificateThumbprint
            Ensure                = "Present";
            ExcludeTargets        = @(
                MSFT_AADAuthenticationMethodPolicyAuthenticatorExcludeTarget{
                    Id = 'Executives' # Updated Property
                    TargetType = 'group'
                }
            );
            FeatureSettings       = MSFT_MicrosoftGraphmicrosoftAuthenticatorFeatureSettings{
                DisplayLocationInformationRequiredState = MSFT_MicrosoftGraphAuthenticationMethodFeatureConfiguration{
                    IncludeTarget = MSFT_AADAuthenticationMethodPolicyAuthenticatorFeatureTarget{
                        Id = 'all_users'
                        TargetType = 'group'
                    }
                    State = 'default'
                }
                CompanionAppAllowedState = MSFT_MicrosoftGraphAuthenticationMethodFeatureConfiguration{
                    IncludeTarget = MSFT_AADAuthenticationMethodPolicyAuthenticatorFeatureTarget{
                        Id = 'all_users'
                        TargetType = 'group'
                    }
                    State = 'default'
                }
                DisplayAppInformationRequiredState = MSFT_MicrosoftGraphAuthenticationMethodFeatureConfiguration{
                    IncludeTarget = MSFT_AADAuthenticationMethodPolicyAuthenticatorFeatureTarget{
                        Id = 'all_users'
                        TargetType = 'group'
                    }
                    State = 'default'
                }
            };
            Id                    = "MicrosoftAuthenticator";
            IncludeTargets        = @(
                MSFT_AADAuthenticationMethodPolicyAuthenticatorIncludeTarget{
                    Id = 'Finance Team'
                    TargetType = 'group'
                }
                MSFT_AADAuthenticationMethodPolicyAuthenticatorIncludeTarget{
                    Id = 'Northwind Traders'
                    TargetType = 'group'
                }
            );
            IsSoftwareOathEnabled = $False;
            State                 = "enabled";
        }
    }
}

Example 2

This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline.

Configuration Example
{
    Import-DscResource -ModuleName Microsoft365DSC

    Node localhost
    {
        param(
            [Parameter()]
            [System.String]
            $ApplicationId,

            [Parameter()]
            [System.String]
            $TenantId,

            [Parameter()]
            [System.String]
            $CertificateThumbprint
        )
        AADAuthenticationMethodPolicyAuthenticator "AADAuthenticationMethodPolicyAuthenticator-MicrosoftAuthenticator"
        {
            Ensure                = "Absent";
            Id                    = "MicrosoftAuthenticator";
            IncludeTargets        = @(
                MSFT_AADAuthenticationMethodPolicyAuthenticatorIncludeTarget{
                    Id = 'fakegroup6'
                    TargetType = 'group'
                }
            );
            IsSoftwareOathEnabled = $True; # Updated Property
            State                 = "enabled";
            ApplicationId         = $ApplicationId
            TenantId              = $TenantId
            CertificateThumbprint = $CertificateThumbprint
        }
    }
}