Public/Get-GkAuthStrengthPolicy.ps1
|
function Get-GkAuthStrengthPolicy { <# .SYNOPSIS Report authentication strength policies (built-in and custom) and their allowed method combinations. .DESCRIPTION Reads GET /policies/authenticationStrengthPolicies, which back the "require authentication strength" grant control in Conditional Access. Shows each policy's type and the method combinations it accepts (e.g. fido2, x509CertificateMultiFactor) — useful for confirming a phishing-resistant option is defined for privileged access. Requires Policy.Read.AuthenticationMethod (or Policy.Read.All). .PARAMETER CustomOnly Return only custom (tenant-defined) policies. .PARAMETER AsReport Flatten AllowedCombinations to a '; '-joined string and add ReportGeneratedUtc. .EXAMPLE Get-GkAuthStrengthPolicy All authentication strength policies with their allowed combinations. .EXAMPLE Get-GkAuthStrengthPolicy -CustomOnly Only custom strengths the tenant has defined. .EXAMPLE Get-GkAuthStrengthPolicy -AsReport | Export-Csv .\auth-strengths.csv -NoTypeInformation .OUTPUTS PSGraphKit.AuthStrengthPolicy #> [CmdletBinding()] [OutputType('PSGraphKit.AuthStrengthPolicy')] param( [switch] $CustomOnly, [switch] $AsReport ) begin { Test-GkConnection -FunctionName 'Get-GkAuthStrengthPolicy' | Out-Null $now = [datetime]::UtcNow } process { $policies = Invoke-GkGraphRequest -Uri '/policies/authenticationStrengthPolicies' -CallerFunction 'Get-GkAuthStrengthPolicy' foreach ($p in $policies) { $type = [string](Get-GkDictValue $p 'policyType') if ($CustomOnly -and $type -ne 'custom') { continue } $combos = @(Get-GkDictValue $p 'allowedCombinations') $obj = [ordered]@{ PSTypeName = 'PSGraphKit.AuthStrengthPolicy' DisplayName = [string](Get-GkDictValue $p 'displayName') PolicyType = $type AllowedCombinations = if ($AsReport) { $combos -join '; ' } else { $combos } CombinationCount = $combos.Count Modified = ConvertTo-GkDateTime (Get-GkDictValue $p 'modifiedDateTime') Id = [string](Get-GkDictValue $p 'id') } if ($AsReport) { $obj['ReportGeneratedUtc'] = $now } [pscustomobject]$obj } } } |