Public/TenantConfiguration/Baseline/Add-WindowsHelloForBusinessPINReset.ps1
function Add-WindowsHelloForBusinessPINReset { param( [Parameter(Mandatory)] [string]$TenantId ) try { Connect-CustomerGraph -CustomerTenantId $TenantId $PINResetServicePrincipal = Get-MgServicePrincipal -Filter "displayName eq 'Microsoft Pin Reset Service Production'" if($PINResetServicePrincipal) { Write-Host "Windows Hello for Business PIN Reset service principal already exists, not creating.." -ForegroundColor Yellow } else { $PINResetService = New-MgServicePrincipal -AccountEnabled:$true -AppId "b8456c59-1230-44c7-a4a2-99b085333e84" -DisplayName "Microsoft Pin Reset Service Production" -Homepage "https://cred.microsoft.com" $PINResetServicePermissionGrantEntraID = New-MgOauth2PermissionGrant -ClientId $PINResetService.Id -ConsentType "AllPrincipals" -Scope "User.Read Directory.Read.All" -ResourceId "93e92c6e-d279-435b-8230-118495906230" Write-Host "Created Windows Hello for Business PIN Reset service principal and permission grant!" -ForegroundColor Green } $PINResetClient = Get-MgServicePrincipal -Filter "displayName eq 'Microsoft Pin Reset Client Production'" if($PINResetClient) { Write-Host "Windows Hello for Business PIN Reset client service principal already exists, not creating.." -ForegroundColor Yellow } else { $PINResetClient = New-MgServicePrincipal -AccountEnabled:$true -Appid "9115dd05-fad5-4f9c-acc7-305d08b1b04e" -DisplayName "Microsoft Pin Reset Client Production" $PINResetClientPermissionGrantEntraID = New-MgOauth2PermissionGrant -ClientId $PINResetClient.Id -ConsentType "AllPrincipals" -Scope "User.Read" -ResourceId "93e92c6e-d279-435b-8230-118495906230" $PINResetClientPermissionGrantResetService = New-MgOauth2PermissionGrant -ClientId $PINResetClient.Id -ConsentType "AllPrincipals" -Scope "user_impersonation" -ResourceId "713fc99e-a9d4-4323-a861-50caf685caf9" Write-Host "Created Windows Hello for Business PIN Reset client service principal and permission grants!" -ForegroundColor Green } } catch { throw "Failed to create Windows Hello for Business PIN Reset configuration: $_" } } |