AADAuthenticationMethodPolicyAuthenticator¶
Parameters¶
Parameter | Attribute | DataType | Description | Allowed Values |
---|---|---|---|---|
FeatureSettings | Write | MSFT_MicrosoftGraphmicrosoftAuthenticatorFeatureSettings | A collection of Microsoft Authenticator settings such as number matching and location context, and whether they are enabled for all users or specific users only. | |
IsSoftwareOathEnabled | Write | Boolean | true if users can use the OTP code generated by the Microsoft Authenticator app, false otherwise. | |
ExcludeTargets | Write | MSFT_AADAuthenticationMethodPolicyAuthenticatorExcludeTarget[] | Displayname of the groups of users that are excluded from a policy. | |
IncludeTargets | Write | MSFT_AADAuthenticationMethodPolicyAuthenticatorIncludeTarget[] | Displayname of the groups of users that are included from a policy. | |
State | Write | String | The state of the policy. Possible values are: enabled, disabled. | enabled , disabled |
Id | Key | String | The unique identifier for an entity. Read-only. | |
Ensure | Write | String | Present ensures the policy exists, absent ensures it is removed. | Present , Absent |
Credential | Write | PSCredential | Credentials of the Admin | |
ApplicationId | Write | String | Id of the Azure Active Directory application to authenticate with. | |
TenantId | Write | String | Id of the Azure Active Directory tenant used for authentication. | |
ApplicationSecret | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | |
CertificateThumbprint | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | |
ManagedIdentity | Write | Boolean | Managed ID being used for authentication. |
MSFT_MicrosoftGraphMicrosoftAuthenticatorFeatureSettings¶
Parameters¶
Parameter | Attribute | DataType | Description | Allowed Values |
---|---|---|---|---|
CompanionAppAllowedState | Write | MSFT_MicrosoftGraphAuthenticationMethodFeatureConfiguration | Determines whether users will be able to approve push notifications on other Microsoft applications such as Outlook Mobile. | |
DisplayAppInformationRequiredState | Write | MSFT_MicrosoftGraphAuthenticationMethodFeatureConfiguration | Determines whether the user's Authenticator app will show them the client app they are signing into. | |
DisplayLocationInformationRequiredState | Write | MSFT_MicrosoftGraphAuthenticationMethodFeatureConfiguration | Determines whether the user's Authenticator app will show them the geographic location of where the authentication request originated from. | |
NumberMatchingRequiredState | Write | MSFT_MicrosoftGraphAuthenticationMethodFeatureConfiguration | Specifies whether the user needs to enter a number in the Authenticator app from the login screen to complete their login. Value is ignored for phone sign-in notifications. |
MSFT_MicrosoftGraphAuthenticationMethodFeatureConfiguration¶
Parameters¶
Parameter | Attribute | DataType | Description | Allowed Values |
---|---|---|---|---|
ExcludeTarget | Write | MSFT_AADAuthenticationMethodPolicyAuthenticatorFeatureTarget | A single entity that's excluded from using this feature. | |
IncludeTarget | Write | MSFT_AADAuthenticationMethodPolicyAuthenticatorFeatureTarget | A single entity that's allowed to use this feature. | |
State | Write | String | Enable or disable the feature. Possible values are: default, enabled, disabled, unknownFutureValue. The default value is used when the configuration hasn't been explicitly set and uses the default behavior of Azure AD for the setting. The default value is disabled. | default , enabled , disabled , unknownFutureValue |
MSFT_AADAuthenticationMethodPolicyAuthenticatorFeatureTarget¶
Parameters¶
Parameter | Attribute | DataType | Description | Allowed Values |
---|---|---|---|---|
Id | Write | String | The ID of the entity that's targeted in the include or exclude rule or all_users to target all users. | |
TargetType | Write | String | The kind of entity that's targeted. The possible values are: group, administrativeUnit, role, unknownFutureValue. | group , administrativeUnit , role , unknownFutureValue |
MSFT_AADAuthenticationMethodPolicyAuthenticatorExcludeTarget¶
Parameters¶
Parameter | Attribute | DataType | Description | Allowed Values |
---|---|---|---|---|
Id | Write | String | The object identifier of an Azure AD group. | |
TargetType | Write | String | The type of the authentication method target. Possible values are: group and unknownFutureValue. | user , group , unknownFutureValue |
MSFT_AADAuthenticationMethodPolicyAuthenticatorIncludeTarget¶
Parameters¶
Parameter | Attribute | DataType | Description | Allowed Values |
---|---|---|---|---|
Id | Write | String | The object identifier of an Azure AD group. | |
TargetType | Write | String | The type of the authentication method target. Possible values are: group and unknownFutureValue. | user , group , unknownFutureValue |
Description¶
Azure AD Authentication Method Policy Authenticator
Permissions¶
Microsoft Graph¶
To authenticate with the Microsoft Graph API, this resource required the following permissions:
Delegated permissions¶
-
Read
- Policy.ReadWrite.AuthenticationMethod, Policy.Read.All
-
Update
- Policy.ReadWrite.AuthenticationMethod, Policy.Read.All
Application permissions¶
-
Read
- Policy.ReadWrite.AuthenticationMethod, Policy.Read.All
-
Update
- Policy.ReadWrite.AuthenticationMethod, Policy.Read.All
Examples¶
Example 1¶
This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline.
Configuration Example
{
Import-DscResource -ModuleName Microsoft365DSC
Node localhost
{
AADAuthenticationMethodPolicyAuthenticator "AADAuthenticationMethodPolicyAuthenticator-MicrosoftAuthenticator"
{
ApplicationId = $ConfigurationData.NonNodeData.ApplicationId;
CertificateThumbprint = $ConfigurationData.NonNodeData.CertificateThumbprint;
Ensure = "Present";
ExcludeTargets = @(
MSFT_AADAuthenticationMethodPolicyAuthenticatorExcludeTarget{
Id = 'fakegroup1'
TargetType = 'group'
}
);
FeatureSettings = MSFT_MicrosoftGraphmicrosoftAuthenticatorFeatureSettings{
DisplayLocationInformationRequiredState = MSFT_MicrosoftGraphAuthenticationMethodFeatureConfiguration{
ExcludeTarget = MSFT_AADAuthenticationMethodPolicyAuthenticatorFeatureTarget{
Id = '00000000-0000-0000-0000-000000000000'
TargetType = 'group'
}
IncludeTarget = MSFT_AADAuthenticationMethodPolicyAuthenticatorFeatureTarget{
Id = 'fakegroup2'
TargetType = 'group'
}
State = 'enabled'
}
NumberMatchingRequiredState = MSFT_MicrosoftGraphAuthenticationMethodFeatureConfiguration{
ExcludeTarget = MSFT_AADAuthenticationMethodPolicyAuthenticatorFeatureTarget{
Id = '00000000-0000-0000-0000-000000000000'
TargetType = 'group'
}
IncludeTarget = MSFT_AADAuthenticationMethodPolicyAuthenticatorFeatureTarget{
Id = 'fakegroup3'
TargetType = 'group'
}
State = 'enabled'
}
CompanionAppAllowedState = MSFT_MicrosoftGraphAuthenticationMethodFeatureConfiguration{
ExcludeTarget = MSFT_AADAuthenticationMethodPolicyAuthenticatorFeatureTarget{
Id = '00000000-0000-0000-0000-000000000000'
TargetType = 'group'
}
IncludeTarget = MSFT_AADAuthenticationMethodPolicyAuthenticatorFeatureTarget{
Id = 'fakegroup4'
TargetType = 'group'
}
State = 'enabled'
}
DisplayAppInformationRequiredState = MSFT_MicrosoftGraphAuthenticationMethodFeatureConfiguration{
ExcludeTarget = MSFT_AADAuthenticationMethodPolicyAuthenticatorFeatureTarget{
Id = '00000000-0000-0000-0000-000000000000'
TargetType = 'group'
}
IncludeTarget = MSFT_AADAuthenticationMethodPolicyAuthenticatorFeatureTarget{
Id = 'fakegroup5'
TargetType = 'group'
}
State = 'enabled'
}
};
Id = "MicrosoftAuthenticator";
IncludeTargets = @(
MSFT_AADAuthenticationMethodPolicyAuthenticatorIncludeTarget{
Id = 'fakegroup6'
TargetType = 'group'
}
);
IsSoftwareOathEnabled = $False;
State = "enabled";
TenantId = $ConfigurationData.NonNodeData.TenantId;
}
}
}