AADAuthenticationMethodPolicyFido2¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| IsAttestationEnforced | Write | Boolean | Determines whether attestation must be enforced for FIDO2 security key registration. | |
| IsSelfServiceRegistrationAllowed | Write | Boolean | Determines if users can register new FIDO2 security keys. | |
| KeyRestrictions | Write | MSFT_MicrosoftGraphFido2KeyRestrictions | Controls whether key restrictions are enforced on FIDO2 security keys, either allowing or disallowing certain key types as defined by Authenticator Attestation GUID (AAGUID), an identifier that indicates the type (e.g. make and model) of the authenticator. | |
| ExcludeTargets | Write | MSFT_AADAuthenticationMethodPolicyFido2ExcludeTarget[] | Displayname of the groups of users that are excluded from a policy. | |
| IncludeTargets | Write | MSFT_AADAuthenticationMethodPolicyFido2IncludeTarget[] | Displayname of the groups of users that are included from a policy. | |
| PasskeyProfiles | Write | MSFT_AADAuthenticationMethodPolicyFido2PasskeyProfile[] | Passkey profiles configuration for FIDO2 authentication. | |
| State | Write | String | The state of the policy. Possible values are: enabled, disabled. | enabled, disabled |
| Id | Key | String | The unique identifier for an entity. Read-only. | |
| Ensure | Write | String | Present ensures the policy exists, absent ensures it is removed. | Present, Absent |
| Credential | Write | PSCredential | Credentials of the Admin | |
| ApplicationId | Write | String | Id of the Azure Active Directory application to authenticate with. | |
| TenantId | Write | String | Id of the Azure Active Directory tenant used for authentication. | |
| ApplicationSecret | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | |
| CertificateThumbprint | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | |
| ManagedIdentity | Write | Boolean | Managed ID being used for authentication. | |
| AccessTokens | Write | StringArray[] | Access token used for authentication. |
Embedded Instances¶
MSFT_MicrosoftGraphFido2KeyRestrictions¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| AaGuids | Write | StringArray[] | A collection of Authenticator Attestation GUIDs. AADGUIDs define key types and manufacturers. | |
| EnforcementType | Write | String | Enforcement type. Possible values are: allow, block. | allow, block, unknownFutureValue |
| IsEnforced | Write | Boolean | Determines if the configured key enforcement is enabled. |
MSFT_AADAuthenticationMethodPolicyFido2ExcludeTarget¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| Id | Key | String | The object identifier of an Azure AD group. | |
| TargetType | Key | String | The type of the authentication method target. Possible values are: group and unknownFutureValue. | group, unknownFutureValue |
| IsRegistrationRequired | Write | Boolean | Determines if registration is required for the authentication method. | |
| AllowedPasskeyProfiles | Write | StringArray[] | Collection of allowed passkey profile IDs for this target. |
MSFT_AADAuthenticationMethodPolicyFido2IncludeTarget¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| Id | Key | String | The object identifier of an Azure AD group. | |
| TargetType | Key | String | The type of the authentication method target. Possible values are: group and unknownFutureValue. | group, unknownFutureValue |
| IsRegistrationRequired | Write | Boolean | Determines if registration is required for the authentication method. | |
| AllowedPasskeyProfiles | Write | StringArray[] | Collection of allowed passkey profile IDs for this target. |
MSFT_AADAuthenticationMethodPolicyFido2PasskeyProfile¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| Id | Write | String | The unique identifier for the passkey profile. | |
| Name | Key | String | The display name for the passkey profile. | |
| PasskeyTypes | Write | String | The passkey types supported by this profile. | deviceBound, deviceBound,synced, crossDevice, synced |
| AttestationEnforcement | Write | String | The attestation enforcement level for this profile. | disabled, registrationOnly, registrationAndSignIn |
| KeyRestrictions | Write | MSFT_MicrosoftGraphFido2KeyRestrictions | Key restrictions for this passkey profile. |
Description¶
Azure AD Authentication Method Policy Fido2
Permissions¶
Microsoft Graph¶
To authenticate with the Microsoft Graph API, this resource requires the following permissions:
Delegated permissions¶
- Read
-
Policy.Read.AuthenticationMethod, Group.Read.All
-
Update
- Policy.ReadWrite.AuthenticationMethod, Group.Read.All
Application permissions¶
- Read
-
Policy.Read.AuthenticationMethod, Group.Read.All
-
Update
- Policy.ReadWrite.AuthenticationMethod, Group.Read.All
Examples¶
Example 1¶
This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline.
Configuration Example
{
param(
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint
)
Import-DscResource -ModuleName Microsoft365DSC
Node localhost
{
AADAuthenticationMethodPolicyFido2 "AADAuthenticationMethodPolicyFido2-Fido2"
{
ApplicationId = $ApplicationId
TenantId = $TenantId
CertificateThumbprint = $CertificateThumbprint
Ensure = "Present";
ExcludeTargets = @(
MSFT_AADAuthenticationMethodPolicyFido2ExcludeTarget{
Id = 'Paralegals'
TargetType = 'group'
}
MSFT_AADAuthenticationMethodPolicyFido2ExcludeTarget{
Id = 'Executives'
TargetType = 'group'
}
);
Id = "Fido2";
IncludeTargets = @(
MSFT_AADAuthenticationMethodPolicyFido2IncludeTarget{
Id = 'all_users'
TargetType = 'group'
}
);
IsAttestationEnforced = $False;
IsSelfServiceRegistrationAllowed = $True;
KeyRestrictions = MSFT_MicrosoftGraphFido2KeyRestrictions{
IsEnforced = $False
EnforcementType = 'block'
AaGuids = @()
};
PasskeyProfiles = @(
MSFT_AADAuthenticationMethodPolicyFido2PasskeyProfile{
AttestationEnforcement = "registrationOnly"
Id = "00000000-0000-0000-0000-000000000001"
KeyRestrictions = MSFT_MicrosoftGraphFido2KeyRestrictions{
AaGuids = @(
"90a3ccdf-635c-4729-a248-9b709135078f"
"de1e552d-db1d-4423-a619-566b625cdc84"
)
EnforcementType = "block"
IsEnforced = $True
}
Name = "Default passkey profile"
PasskeyTypes = "deviceBound"
}
MSFT_AADAuthenticationMethodPolicyFido2PasskeyProfile{
AttestationEnforcement = "disabled"
Id = "cdd85462-0de2-4642-99f8-3f6d70fa5125"
KeyRestrictions = MSFT_MicrosoftGraphFido2KeyRestrictions{
AaGuids = @(
"de1e552d-db1d-4423-a619-566b625cdc84"
"90a3ccdf-635c-4729-a248-9b709135078f"
)
EnforcementType = "block"
IsEnforced = $True
}
Name = "SWCProfile"
PasskeyTypes = "deviceBound"
}
);
State = "enabled"; # Updated Property
}
}
}
Example 2¶
This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline.
Configuration Example
{
Import-DscResource -ModuleName Microsoft365DSC
Node localhost
{
param(
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint
)
AADAuthenticationMethodPolicyFido2 "AADAuthenticationMethodPolicyFido2-Fido2"
{
Ensure = "Absent";
Id = "Fido2";
ApplicationId = $ApplicationId
TenantId = $TenantId
CertificateThumbprint = $CertificateThumbprint
}
}
}