mirror of
https://github.com/KelvinTegelaar/CIPP.git
synced 2026-04-25 08:16:01 +03:00
[GH-ISSUE #4102] [Feature Request]: Deploying Authentication Strengths via Standards #1859
Labels
No labels
API
Feature
NotABug
NotABug
Planned
Sponsor Priority
Sponsor Priority
bug
documentation
duplicate
enhancement
needs more info
no-activity
no-priority
not-assigned
pull-request
react-conversion
react-conversion
roadmap
security
stale
unconfirmed-by-user
unconfirmed-by-user
wontfix
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
starred/CIPP#1859
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @mpersak on GitHub (May 16, 2025).
Original GitHub issue: https://github.com/KelvinTegelaar/CIPP/issues/4102
Please confirm:
Problem Statement
We are pushing our clients to completely passwordless (phishing resistant) sign in, a way to do this would be via new CA policy that uses Authentication strengths:
"Require authentication strength"
Base policies configured by Microsoft don't have TAP method in "Phishing resistant MFA" authentication strength policy, hence setup of user devices will not be easy.
Benefits for MSPs
it gives us an option to set Authentications strengths as standard and not manually configure it
Value or Importance
Nice to have, avoids manual configuration
PowerShell Commands (Optional)
Connect to Microsoft Graph
Connect-MgGraph -Scopes "Policy.ReadWrite.ConditionalAccess", "Policy.ReadWrite.AuthenticationMethod"
Define the authentication strength policy
$params = @{
displayName = "Phishing-Resistant with TAP"
requirementsSatisfied = "mfa"
allowedCombinations = @(
"windowsHelloForBusiness",
"fido2",
"x509CertificateMultiFactor",
"deviceBasedPush"
)
}
New-MgPolicyAuthenticationStrengthPolicy -BodyParameter $params
@KelvinTegelaar commented on GitHub (May 16, 2025):
Create a template of a policy that already contains the strengths you want. A ca policy template has everything in there, and will create the strengths to use in the policy.
@mpersak commented on GitHub (May 16, 2025):
Hi Kelvin, I just tested it now and it doesn't work:
Failed to create or update conditional access rule . Error: Failed to create or update conditional access rule REQUIRE: MFA for Users - Passwordless: 1107: The given authentication strength ID '00000000-0000-0000-0000-000000000000' does not correspond to a valid authentication strength. The valid authentication strengths are either one of the following built-in authentication strengths: 00000000-0000-0000-0000-000000000002 => Multifactor authentication, 00000000-0000-0000-0000-000000000003 => Passwordless MFA, 00000000-0000-0000-0000-000000000004 => Phishing-resistant MFA, or a custom authentication strength from the /identity/conditionalAccess/authenticationStrength/policies API.
Built in ones don't include TAP
@mpersak commented on GitHub (May 16, 2025):
Sorry, correction, you are right. I forgot CIPP can fail first time standard runs as it will add new underlying items and then next time when it runs it will add the policy.
tested now, seems to work OK. It is strange that in portal it doesn't select the authentication policy created in authentication strengths. it just states "required authentication strengths" with no policy detected. CIPP side shows correct types. Will test and report if any issues