Public/TenantConfiguration/Baseline/Add-AuthenticationMethodPolicy.ps1
function Add-AuthenticationMethodPolicy { param( [Parameter(Mandatory)] [string]$TenantId ) try { Connect-CustomerGraph -CustomerTenantId $TenantId # Not configuring Hardware OAUTH atm. as it is in beta in the Graph API, and quite cumbersome. $AuthenticationMethodPolicyParams = @{ AuthenticationMethodConfigurations = @( @{ excludeTargets = @() id = "Fido2" state = "disabled" } @{ excludeTargets = @() id = "MicrosoftAuthenticator" state = "enabled" } @{ excludeTargets = @() id = "Sms" state = "disabled" } @{ excludeTargets = @() id = "TemporaryAccessPass" state = "disabled" } @{ excludeTargets = @() id = "SoftwareOath" state = "enabled" } @{ excludeTargets = @() id = "Voice" state = "disabled" } @{ excludeTargets = @() id = "Email" state = "disabled" } @{ excludeTargets = @() id = "X509Certificate" state = "disabled" } ) ReconfirmationInDays = $null RegistrationEnforcement = @{ AuthenticationMethodsRegistrationCampaign = @{ ExcludeTargets = @() IncludeTargets = @( @{ Id = "all_users" TargetType = "group" TargetedAuthenticationMethod = "microsoftAuthenticator" } ) SnoozeDurationInDays = 7 State = "disabled" } } } $AuthenticationMethodPolicy = Update-MgPolicyAuthenticationMethodPolicy -BodyParameter $AuthenticationMethodPolicyParams Write-Host "Updated authentication methods policy!" -ForegroundColor Green } catch { throw "Failed to update authentication methods policy: $_" } } |