#946 - [GH-ISSUE #1789] [Feature Request]: Standards - Enable Microsoft OTP in Auth methods - starred/CIPP

kerem commented

2026-03-02 12:46:31 +03:00

Owner

Originally created by @kris6673 on GitHub (Oct 6, 2023).
Original GitHub issue: https://github.com/KelvinTegelaar/CIPP/issues/1789

Description of the new feature - must be an in-depth explanation of the feature you want, reasoning why, and the added benefits for MSPs as a whole.

Many of our customers are using the MS NPS extension for VPN authendication and after number matching has become mandatory, now rely on the OTP code from the Authendicator app instead of getting a push notification. The current CIPP standard "Enable Passwordless with Location information and Number Matching" changes this to Disabled everytime standards run.

Having a dropdown to chose if it should be enabled or disabled like with "Set Authenticator Lite state" would be nice.
Default set to "No" for backwards compatability.

Since the feature is locked behind registering the Authendicator app and this is just an add-on, it should not decrease security. At least to my knowledge.

PowerShell commands you would normally use to achieve above request

This is your own code, only part modified is: "isSoftwareOathEnabled" being set to true instead of false

try {
    $body = @"
{"@odata.type":"#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration","id":"MicrosoftAuthenticator","includeTargets":[{"id":"all_users","isRegistrationRequired":false,"targetType":"group","authenticationMode":"any"}],"excludeTargets":[],"state":"enabled","isSoftwareOathEnabled":true,"featureSettings":{"displayLocationInformationRequiredState":{"state":"enabled","includeTarget":{"id":"all_users","targetType":"group","displayName":"All users"}},"displayAppInformationRequiredState":{"state":"enabled","includeTarget":{"id":"all_users","targetType":"group","displayName":"All users"}},"companionAppAllowedState":{"state":"default","includeTarget":{"id":"all_users","targetType":"group","displayName":"All users"}}}}
"@
    (New-GraphPostRequest -tenantid $tenant -Uri "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/microsoftAuthenticator" -Type patch -Body $body -ContentType "application/json")

    Write-LogMessage  -API "Standards" -tenant $tenant -message "Enabled passwordless with Information and Number Matching." -sev Info
}
catch {
    Write-LogMessage  -API "Standards" -tenant $tenant -message "Failed to enable passwordless with Information and Number Matching. Error: $($_.exception.message)" -sev "Error"
}

Originally created by @kris6673 on GitHub (Oct 6, 2023). Original GitHub issue: https://github.com/KelvinTegelaar/CIPP/issues/1789 ### Description of the new feature - must be an in-depth explanation of the feature you want, reasoning why, and the added benefits for MSPs as a whole. Many of our customers are using the MS NPS extension for VPN authendication and after number matching has become mandatory, now rely on the OTP code from the Authendicator app instead of getting a push notification. The current CIPP standard "[Enable Passwordless with Location information and Number Matching](https://github.com/KelvinTegelaar/CIPP-API/blob/dev/Standards_PWdisplayAppInformationRequiredState/run.ps1)" changes this to Disabled everytime standards run. Having a dropdown to chose if it should be enabled or disabled like with "[Set Authenticator Lite state](https://github.com/KelvinTegelaar/CIPP-API/blob/dev/Standards_PWcompanionAppAllowedState/run.ps1)" would be nice. Default set to "No" for backwards compatability. Since the feature is locked behind registering the Authendicator app and this is just an add-on, it should not decrease security. At least to my knowledge. ### PowerShell commands you would normally use to achieve above request This is your own code, only part modified is: "isSoftwareOathEnabled" being set to true instead of false ``` try { $body = @" {"@odata.type":"#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration","id":"MicrosoftAuthenticator","includeTargets":[{"id":"all_users","isRegistrationRequired":false,"targetType":"group","authenticationMode":"any"}],"excludeTargets":[],"state":"enabled","isSoftwareOathEnabled":true,"featureSettings":{"displayLocationInformationRequiredState":{"state":"enabled","includeTarget":{"id":"all_users","targetType":"group","displayName":"All users"}},"displayAppInformationRequiredState":{"state":"enabled","includeTarget":{"id":"all_users","targetType":"group","displayName":"All users"}},"companionAppAllowedState":{"state":"default","includeTarget":{"id":"all_users","targetType":"group","displayName":"All users"}}}} "@ (New-GraphPostRequest -tenantid $tenant -Uri "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/microsoftAuthenticator" -Type patch -Body $body -ContentType "application/json") Write-LogMessage -API "Standards" -tenant $tenant -message "Enabled passwordless with Information and Number Matching." -sev Info } catch { Write-LogMessage -API "Standards" -tenant $tenant -message "Failed to enable passwordless with Information and Number Matching. Error: $($_.exception.message)" -sev "Error" } ```

kerem

2026-03-02 12:46:31 +03:00

closed this issue
added the
enhancement

no-priority
labels

kerem commented

2026-03-02 12:46:32 +03:00

Author

Owner

@github-actions[bot] commented on GitHub (Oct 6, 2023):

Thank you for creating a feature request!
Your current priority is set to "No Priority". No Priority Feature requests automatically get closed in two days if a contributor does not accept the FR.

If you are a sponsor you can request an upgrade of priority. To upgrade the priority type "I would like to upgrade the priority".
If you want this feature to be integrated you can always do this yourself by checking out our contributions guide at https://cipp.app/docs/dev/. Contributors to the CIPP project reserve the right to close feature requests at will.
If you'd like this feature request to be assigned to you, please comment "I would like to work on this please!".

@github-actions[bot] commented on GitHub (Oct 6, 2023): Thank you for creating a feature request! Your current priority is set to "No Priority". No Priority Feature requests automatically get closed in two days if a contributor does not accept the FR. If you are a sponsor you can request an upgrade of priority. To upgrade the priority type "I would like to upgrade the priority". If you want this feature to be integrated you can always do this yourself by checking out our contributions guide at https://cipp.app/docs/dev/. Contributors to the CIPP project reserve the right to close feature requests at will. If you'd like this feature request to be assigned to you, please comment "I would like to work on this please!".

kerem commented

2026-03-02 12:46:32 +03:00

Author

Owner

@KelvinTegelaar commented on GitHub (Oct 6, 2023):

only sponsors can create FRs,

@KelvinTegelaar commented on GitHub (Oct 6, 2023): only sponsors can create FRs,

kerem commented

2026-03-02 12:46:32 +03:00

Author

Owner

@KelvinTegelaar commented on GitHub (Oct 24, 2023):

Added in dev; we no longer send that in the patch at all, so users can decide themselves if to enable/not.

@KelvinTegelaar commented on GitHub (Oct 24, 2023): Added in dev; we no longer send that in the patch at all, so users can decide themselves if to enable/not.

kerem commented

2026-03-02 12:46:32 +03:00

Author

Owner

@kris6673 commented on GitHub (Oct 24, 2023):

Added in dev; we no longer send that in the patch at all, so users can decide themselves if to enable/not.

Awesome thanks!

@kris6673 commented on GitHub (Oct 24, 2023): > Added in dev; we no longer send that in the patch at all, so users can decide themselves if to enable/not. Awesome thanks!

kerem referenced this issue

2026-03-02 13:56:42 +03:00

[PR #946] [MERGED] Fixes minor issues with Add user and tenant exclusion #3066

kerem referenced this issue

2026-03-02 13:56:55 +03:00

[PR #1071] [CLOSED] Update package-lock.json #3115

Rows
Columns

[GH-ISSUE #1789] [Feature Request]: Standards - Enable Microsoft OTP in Auth methods #946

Description of the new feature - must be an in-depth explanation of the feature you want, reasoning why, and the added benefits for MSPs as a whole.

PowerShell commands you would normally use to achieve above request