JyskIT.Automation

0.9.0

Public/TenantConfiguration/Baseline/Add-WindowsHelloForBusinessPINReset.ps1

function Add-WindowsHelloForBusinessPINReset {
    param(
        [Parameter(Mandatory)]
        [string]$TenantId
    )

    try {
        Connect-CustomerGraph -CustomerTenantId $TenantId

        $AzureADSP = Get-MgServicePrincipal -Filter "appId eq '00000002-0000-0000-c000-000000000000'"

        $PINResetServicePrincipal = Get-MgServicePrincipal -Filter "displayName eq 'Microsoft Pin Reset Service Production'"
        if($PINResetServicePrincipal) {
            Write-Host "Windows Hello for Business PIN Reset service principal already exists, not creating.." -ForegroundColor Yellow
        } else {
            $PINResetServicePrincipal = New-MgServicePrincipal -AccountEnabled:$true -AppId "b8456c59-1230-44c7-a4a2-99b085333e84" -DisplayName "Microsoft Pin Reset Service Production" -Homepage "https://cred.microsoft.com"
            Write-Host "Created Windows Hello for Business PIN Reset service service principal!" -ForegroundColor Green
        }

        $PINResetServicePermissionGrantEntraID = Get-MgOauth2PermissionGrant -Filter "clientId eq '$($PINResetServicePrincipal.Id)'"
        if($PINResetServicePermissionGrantEntraID) {
            Write-Host "Windows Hello for Business PIN Reset service principal permission grant already exists, not creating.." -ForegroundColor Yellow
        } else {
            $PINResetServicePermissionGrantEntraID = New-MgOauth2PermissionGrant -ClientId $PINResetServicePrincipal.Id -ConsentType "AllPrincipals" -Scope "User.Read Directory.Read.All" -ResourceId $AzureADSP.Id
            Write-Host "Created Windows Hello for Business PIN Reset service permission grant!" -ForegroundColor Green
        }

        $PINResetClientServicePrincipal = Get-MgServicePrincipal -Filter "displayName eq 'Microsoft Pin Reset Client Production'"
        if($PINResetClientServicePrincipal) {
            Write-Host "Windows Hello for Business PIN Reset client service principal already exists, not creating.." -ForegroundColor Yellow
        } else {
            $PINResetClientServicePrincipal = New-MgServicePrincipal -AccountEnabled:$true -Appid "9115dd05-fad5-4f9c-acc7-305d08b1b04e" -DisplayName "Microsoft Pin Reset Client Production"
            Write-Host "Created Windows Hello for Business PIN Reset client service principal!" -ForegroundColor Green
        }

        $PINResetClientPermissionGrantEntraID = Get-MgOauth2PermissionGrant -Filter "clientId eq '$($PINResetClientServicePrincipal.Id)' and resourceId eq '$($AzureADSP.Id)'"
        if($PINResetClientPermissionGrantEntraID) {
            Write-Host "Windows Hello for Business PIN Reset client service principal Entra ID permission grant already exists, not creating.." -ForegroundColor Yellow
        } else {
            $PINResetClientPermissionGrantEntraID = New-MgOauth2PermissionGrant -ClientId $PINResetClientServicePrincipal.Id -ConsentType "AllPrincipals" -Scope "User.Read" -ResourceId $AzureADSP.Id
            Write-Host "Created Windows Hello for Business PIN Reset client service Entra ID permission grant!" -ForegroundColor Green
        }

        $PINResetClientPermissionGrantResetService = Get-MgOauth2PermissionGrant -Filter "clientId eq '$($PINResetClientServicePrincipal.Id)' and resourceId eq '$($PINResetServicePrincipal.Id)'"
        if($PINResetClientPermissionGrantResetService) {
            Write-Host "Windows Hello for Business PIN Reset client service principal permission grant already exists, not creating.." -ForegroundColor Yellow
        } else {
            $PINResetClientPermissionGrantResetService = New-MgOauth2PermissionGrant -ClientId $PINResetClientServicePrincipal.Id -ConsentType "AllPrincipals" -Scope "user_impersonation" -ResourceId $PINResetServicePrincipal.Id
            Write-Host "Created Windows Hello for Business PIN Reset client service principal permission grant!" -ForegroundColor Green
        }
    }
    catch {
        throw "Failed to create Windows Hello for Business PIN Reset configuration: $_"
    }
}