AADAuthenticationMethodPolicyFido2¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| IsAttestationEnforced | Write | Boolean | Determines whether attestation must be enforced for FIDO2 security key registration. | |
| IsSelfServiceRegistrationAllowed | Write | Boolean | Determines if users can register new FIDO2 security keys. | |
| KeyRestrictions | Write | MSFT_MicrosoftGraphfido2KeyRestrictions | Controls whether key restrictions are enforced on FIDO2 security keys, either allowing or disallowing certain key types as defined by Authenticator Attestation GUID (AAGUID), an identifier that indicates the type (e.g. make and model) of the authenticator. | |
| ExcludeTargets | Write | MSFT_AADAuthenticationMethodPolicyFido2ExcludeTarget[] | Displayname of the groups of users that are excluded from a policy. | |
| IncludeTargets | Write | MSFT_AADAuthenticationMethodPolicyFido2IncludeTarget[] | Displayname of the groups of users that are included from a policy. | |
| State | Write | String | The state of the policy. Possible values are: enabled, disabled. | enabled, disabled |
| Id | Key | String | The unique identifier for an entity. Read-only. | |
| Ensure | Write | String | Present ensures the policy exists, absent ensures it is removed. | Present, Absent |
| Credential | Write | PSCredential | Credentials of the Admin | |
| ApplicationId | Write | String | Id of the Azure Active Directory application to authenticate with. | |
| TenantId | Write | String | Id of the Azure Active Directory tenant used for authentication. | |
| ApplicationSecret | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | |
| CertificateThumbprint | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | |
| ManagedIdentity | Write | Boolean | Managed ID being used for authentication. | |
| AccessTokens | Write | StringArray[] | Access token used for authentication. |
MSFT_MicrosoftGraphFido2KeyRestrictions¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| AaGuids | Write | StringArray[] | A collection of Authenticator Attestation GUIDs. AADGUIDs define key types and manufacturers. | |
| EnforcementType | Write | String | Enforcement type. Possible values are: allow, block. | allow, block, unknownFutureValue |
| IsEnforced | Write | Boolean | Determines if the configured key enforcement is enabled. |
MSFT_AADAuthenticationMethodPolicyFido2ExcludeTarget¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| Id | Write | String | The object identifier of an Azure AD group. | |
| TargetType | Write | String | The type of the authentication method target. Possible values are: group and unknownFutureValue. | user, group, unknownFutureValue |
MSFT_AADAuthenticationMethodPolicyFido2IncludeTarget¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| Id | Write | String | The object identifier of an Azure AD group. | |
| TargetType | Write | String | The type of the authentication method target. Possible values are: group and unknownFutureValue. | user, group, unknownFutureValue |
Description¶
Azure AD Authentication Method Policy Fido2
Permissions¶
Microsoft Graph¶
To authenticate with the Microsoft Graph API, this resource required the following permissions:
Delegated permissions¶
-
Read
- Policy.ReadWrite.AuthenticationMethod, Policy.Read.All
-
Update
- Policy.ReadWrite.AuthenticationMethod, Policy.Read.All
Application permissions¶
-
Read
- Policy.ReadWrite.AuthenticationMethod, Policy.Read.All
-
Update
- Policy.ReadWrite.AuthenticationMethod, Policy.Read.All
Examples¶
Example 1¶
This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline.
Configuration Example
{
param(
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint
)
Import-DscResource -ModuleName Microsoft365DSC
Node localhost
{
AADAuthenticationMethodPolicyFido2 "AADAuthenticationMethodPolicyFido2-Fido2"
{
ApplicationId = $ApplicationId
TenantId = $TenantId
CertificateThumbprint = $CertificateThumbprint
Ensure = "Present";
ExcludeTargets = @(
MSFT_AADAuthenticationMethodPolicyFido2ExcludeTarget{
Id = 'Paralegals'
TargetType = 'group'
}
MSFT_AADAuthenticationMethodPolicyFido2ExcludeTarget{
Id = 'Executives'
TargetType = 'group'
}
);
Id = "Fido2";
IncludeTargets = @(
MSFT_AADAuthenticationMethodPolicyFido2IncludeTarget{
Id = 'all_users'
TargetType = 'group'
}
);
IsAttestationEnforced = $False;
IsSelfServiceRegistrationAllowed = $True;
KeyRestrictions = MSFT_MicrosoftGraphfido2KeyRestrictions{
IsEnforced = $False
EnforcementType = 'block'
AaGuids = @()
};
State = "enabled"; # Updated Property
}
}
}
Example 2¶
This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline.
Configuration Example
{
Import-DscResource -ModuleName Microsoft365DSC
Node localhost
{
param(
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint
)
AADAuthenticationMethodPolicyFido2 "AADAuthenticationMethodPolicyFido2-Fido2"
{
Ensure = "Absent";
Id = "Fido2";
ApplicationId = $ApplicationId
TenantId = $TenantId
CertificateThumbprint = $CertificateThumbprint
}
}
}