Question 230175 in Azure Question posted in
The official documentation to get you started can be found here.

Azure – Setting M365/Entra AuthenticationMethod Policies with Powershell

I would like to programmatically set some of an M365 Tenant’s Authentication Method Policies with Powershell.

namely, those found here:
https://entra.microsoft.com/#view/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/~/AdminAuthMethods

For example, I would like to Enable Microsoft Authenticator for All Users.
As well as optional settings like, "Show application name" or "Show geographic location"

This is found by navigating through:
entra.microsoft.com > Identity > Protection > Authentication Methods | Policies >

I can see where via documentation, you can drill through the tenant in Entra:
https://learn.microsoft.com/en-us/azure/active-directory/authentication/how-to-authentication-methods-manage

The closest thing I could find is:

Install-module Microsoft.Graph.Identity.Signins
Connect-MgGraph -Scopes UserAuthenticationMethod.ReadWrite.All
Select-MgProfile -Name beta

New-MgUserAuthenticationPhoneMethod -UserId [email protected]

Per:
https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userdevicesettings

But this is at the user-level, and isn’t exactly what I’m looking to accomplish.

Thanks, in advance.

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    This is partway there:

    Get-MgPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration -AuthenticationMethodConfigurationId MicrosoftAuthenticator

Get-MgPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration -AuthenticationMethodConfigurationId TemporaryAccessPass

  2. 0

    I am very close….
    using these commands, I can enable the Authentication Method, it enables them, but I cannot fully configure it:

    $params = @{
    "@odata.type" = "#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration"
    State = "enabled"
    AdditionalProperties = @{
        featureSettings= @{
            displayAppInformationRequiredState = @{state = 'enabled'}
            displayLocationInformationRequiredState = @{state = 'enabled'}
        }
    }
}
Update-MgPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration -AuthenticationMethodConfigurationId MicrosoftAuthenticator -BodyParameter $params

$tapparams = @{
    "@odata.type" = "#microsoft.graph.temporaryAccessPassAuthenticationMethodConfiguration"
    State = "enabled"
    IsUsableOnce = $true
}
Update-MgPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration -AuthenticationMethodConfigurationId TemporaryAccessPass -BodyParameter $tapparams

    That is… my output looks like this:

    C:> $m = Get-MgPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration -AuthenticationMethodConfigurationId MicrosoftAuthenticator
C:> $m.AdditionalProperties.featureSettings
                                                                                                                                             Key                                     Value                                                                                                ---                                     -----                                                                                                displayAppInformationRequiredState      {[state, default], [includeTarget, System.Collections.Generic.Dictionary`2[System.String,System.Obj… 
displayLocationInformationRequiredState {[state, default], [includeTarget, System.Collections.Generic.Dictionary`2[System.String,System.Obj…

C:> $m.AdditionalProperties.featureSettings.displayAppInformationRequiredState     
                                                                                                                                             
Key           Value
---           -----
state         default
includeTarget {[targetType, group], [id, all_users]}
excludeTarget {[targetType, group], [id, 00000000-0000-0000-0000-000000000000]}
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search