Public/Get-GkAuthMethodPolicy.ps1
|
function Get-GkAuthMethodPolicy { <# .SYNOPSIS Report the tenant authentication-methods policy: which methods are enabled or disabled. .DESCRIPTION Reads GET /policies/authenticationMethodsPolicy and emits one row per authentication method configuration (fido2, microsoftAuthenticator, sms, temporaryAccessPass, softwareOath, email, voice, x509Certificate, ...) with its state. Useful for confirming which methods a tenant permits. Requires Policy.Read.AuthenticationMethod (or Policy.Read.All). .PARAMETER EnabledOnly Return only methods whose state is 'enabled'. .PARAMETER AsReport Add a ReportGeneratedUtc column. .EXAMPLE Get-GkAuthMethodPolicy | Sort-Object State, Method All methods with their enabled/disabled state. .EXAMPLE Get-GkAuthMethodPolicy -EnabledOnly Only the methods currently enabled in the tenant. .EXAMPLE Get-GkAuthMethodPolicy -AsReport | Export-Csv .\auth-methods.csv -NoTypeInformation .OUTPUTS PSGraphKit.AuthMethodState #> [CmdletBinding()] [OutputType('PSGraphKit.AuthMethodState')] param( [switch] $EnabledOnly, [switch] $AsReport ) begin { Test-GkConnection -FunctionName 'Get-GkAuthMethodPolicy' | Out-Null $now = [datetime]::UtcNow } process { $policy = Invoke-GkGraphRequest -Raw -Uri '/policies/authenticationMethodsPolicy' -CallerFunction 'Get-GkAuthMethodPolicy' $configs = @(Get-GkDictValue $policy 'authenticationMethodConfigurations') foreach ($c in $configs) { $state = [string](Get-GkDictValue $c 'state') if ($EnabledOnly -and $state -ne 'enabled') { continue } # Derive a friendly method name from the id or @odata.type. $method = [string](Get-GkDictValue $c 'id') if (-not $method) { $odataType = [string](Get-GkDictValue $c '@odata.type') if ($odataType) { $method = ($odataType -split '\.')[-1] -replace 'AuthenticationMethodConfiguration$', '' } } $obj = [ordered]@{ PSTypeName = 'PSGraphKit.AuthMethodState' Method = $method State = $state Id = [string](Get-GkDictValue $c 'id') } if ($AsReport) { $obj['ReportGeneratedUtc'] = $now } [pscustomobject]$obj } } } |