AADAuthenticationMethodPolicyX509

Parameters

Parameter Attribute DataType Description Allowed Values
AuthenticationModeConfiguration Write MSFT_MicrosoftGraphx509CertificateAuthenticationModeConfiguration Defines strong authentication configurations. This configuration includes the default authentication mode and the different rules for strong authentication bindings.
CertificateUserBindings Write MSFT_MicrosoftGraphx509CertificateUserBinding[] Defines fields in the X.509 certificate that map to attributes of the Azure AD user object in order to bind the certificate to the user. The priority of the object determines the order in which the binding is carried out. The first binding that matches will be used and the rest ignored.
ExcludeTargets Write MSFT_AADAuthenticationMethodPolicyX509ExcludeTarget[] Displayname of the groups of users that are excluded from a policy.
IncludeTargets Write MSFT_AADAuthenticationMethodPolicyX509IncludeTarget[] Displayname of the groups of users that are included from a policy.
State Write String The state of the policy. Possible values are: enabled, disabled. enabled, disabled
Id Key String The unique identifier for an entity. Read-only.
Ensure Write String Present ensures the policy exists, absent ensures it is removed. Present, Absent
Credential Write PSCredential Credentials of the Admin
ApplicationId Write String Id of the Azure Active Directory application to authenticate with.
TenantId Write String Id of the Azure Active Directory tenant used for authentication.
ApplicationSecret Write PSCredential Secret of the Azure Active Directory tenant used for authentication.
CertificateThumbprint Write String Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.
ManagedIdentity Write Boolean Managed ID being used for authentication.
AccessTokens Write StringArray[] Access token used for authentication.

MSFT_MicrosoftGraphX509CertificateAuthenticationModeConfiguration

Parameters

Parameter Attribute DataType Description Allowed Values
Rules Write MSFT_MicrosoftGraphX509CertificateRule[] Rules are configured in addition to the authentication mode to bind a specific x509CertificateRuleType to an x509CertificateAuthenticationMode. For example, bind the policyOID with identifier 1.32.132.343 to x509CertificateMultiFactor authentication mode.
X509CertificateAuthenticationDefaultMode Write String The type of strong authentication mode. The possible values are: x509CertificateSingleFactor, x509CertificateMultiFactor, unknownFutureValue. x509CertificateSingleFactor, x509CertificateMultiFactor, unknownFutureValue

MSFT_MicrosoftGraphX509CertificateRule

Parameters

Parameter Attribute DataType Description Allowed Values
Identifier Write String The identifier of the X.509 certificate. Required.
X509CertificateAuthenticationMode Write String The type of strong authentication mode. The possible values are: x509CertificateSingleFactor, x509CertificateMultiFactor, unknownFutureValue. Required. x509CertificateSingleFactor, x509CertificateMultiFactor, unknownFutureValue
X509CertificateRuleType Write String The type of the X.509 certificate mode configuration rule. The possible values are: issuerSubject, policyOID, unknownFutureValue. Required. issuerSubject, policyOID, unknownFutureValue

MSFT_MicrosoftGraphX509CertificateUserBinding

Parameters

Parameter Attribute DataType Description Allowed Values
Priority Write UInt32 The priority of the binding. Azure AD uses the binding with the highest priority. This value must be a non-negative integer and unique in the collection of objects in the certificateUserBindings property of an x509CertificateAuthenticationMethodConfiguration object. Required
UserProperty Write String Defines the Azure AD user property of the user object to use for the binding. The possible values are: userPrincipalName, onPremisesUserPrincipalName, email. Required.
X509CertificateField Write String The field on the X.509 certificate to use for the binding. The possible values are: PrincipalName, RFC822Name.

MSFT_AADAuthenticationMethodPolicyX509ExcludeTarget

Parameters

Parameter Attribute DataType Description Allowed Values
Id Write String The object identifier of an Azure AD group.
TargetType Write String The type of the authentication method target. Possible values are: group and unknownFutureValue. group, unknownFutureValue

MSFT_AADAuthenticationMethodPolicyX509IncludeTarget

Parameters

Parameter Attribute DataType Description Allowed Values
Id Write String The object identifier of an Azure AD group.
isRegistrationRequired Write Boolean Determines if the user is enforced to register the authentication method.
TargetType Write String The type of the authentication method target. Possible values are: group and unknownFutureValue. group, unknownFutureValue

Description

Azure AD Authentication Method Policy X509

Permissions

Microsoft Graph

To authenticate with the Microsoft Graph API, this resource required the following permissions:

Delegated permissions

  • Read

    • Policy.ReadWrite.AuthenticationMethod, Policy.Read.All
  • Update

    • Policy.ReadWrite.AuthenticationMethod, Policy.Read.All

Application permissions

  • Read

    • Policy.ReadWrite.AuthenticationMethod, Policy.Read.All
  • Update

    • Policy.ReadWrite.AuthenticationMethod, Policy.Read.All

Examples

Example 1

This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline.

Configuration Example
{
    param(
        [Parameter()]
        [System.String]
        $ApplicationId,

        [Parameter()]
        [System.String]
        $TenantId,

        [Parameter()]
        [System.String]
        $CertificateThumbprint
    )
    Import-DscResource -ModuleName Microsoft365DSC

    Node localhost
    {
        AADAuthenticationMethodPolicyX509 "AADAuthenticationMethodPolicyX509-X509Certificate"
        {
            AuthenticationModeConfiguration = MSFT_MicrosoftGraphx509CertificateAuthenticationModeConfiguration{
                X509CertificateAuthenticationDefaultMode = 'x509CertificateSingleFactor'
                Rules = @()
            };
            CertificateUserBindings         = @(
                MSFT_MicrosoftGraphx509CertificateUserBinding{
                    Priority = 1
                    UserProperty = 'userPrincipalName'
                    X509CertificateField = 'PrincipalName'
                }
                MSFT_MicrosoftGraphx509CertificateUserBinding{
                    Priority = 2
                    UserProperty = 'userPrincipalName'
                    X509CertificateField = 'RFC822Name'
                }
                MSFT_MicrosoftGraphx509CertificateUserBinding{
                    Priority = 3
                    UserProperty = 'certificateUserIds'
                    X509CertificateField = 'SubjectKeyIdentifier'
                }
            );
            ApplicationId         = $ApplicationId
            TenantId              = $TenantId
            CertificateThumbprint = $CertificateThumbprint
            Ensure                          = "Present";
            ExcludeTargets                  = @(
                MSFT_AADAuthenticationMethodPolicyX509ExcludeTarget{
                    Id = 'DSCGroup'
                    TargetType = 'group'
                }
            );
            Id                              = "X509Certificate";
            IncludeTargets                  = @(
                MSFT_AADAuthenticationMethodPolicyX509IncludeTarget{
                    Id = 'Finance Team'
                    TargetType = 'group'
                }
            );
            State                           = "enabled";
        }
    }
}

Example 2

This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline.

Configuration Example
{
    param
    (
        [Parameter(Mandatory = $true)]
        [PSCredential]
        $credsCredential
    )
    Import-DscResource -ModuleName Microsoft365DSC

    Node localhost
    {
        AADAuthenticationMethodPolicyX509 "AADAuthenticationMethodPolicyX509-X509Certificate"
        {
            ApplicationId         = $ApplicationId
            TenantId              = $TenantId
            CertificateThumbprint = $CertificateThumbprint
            Ensure                          = "Absent";
            Id                              = "X509Certificate";
        }
    }
}