AADAuthenticationMethodPolicyAuthenticator: Number matching is now enabled by default and cannot be toggled #3406
Comments
andikrueger
added
Bug
Suggested solution to the issueI have confirmed that simply removing any reference to the "NumberMatchingRequiredState" FeatureSetting when running Update-MgPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration correctly configures the MicrosoftAuthenticator policy without error. So, I assume just removing references to "NumberMatchingRequiredState" from MSFT_AADAuthenticationMethodPolicyAuthenticator.psm1 should stop the errors and leave the default configuration of this feature setting that being "Enabled" and applying to "All Users". $params = @{
"@odata.type" = "#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration"
state = "Enabled"
isSoftwareOathEnabled = $True
featureSettings = @{
"@odata.type" = "microsoft.graph.microsoftAuthenticatorFeatureSettings"
displayAppInformationRequiredState = @{
state = "Enabled"
includeTarget = @{
Id = "all_users"
TargetType = "group"
}
excludeTarget = @{
Id = "00000000-0000-0000-0000-000000000000"
TargetType = "group"
}
}
displayLocationInformationRequiredState = @{
state = "Enabled"
includeTarget = @{
Id = "all_users"
TargetType = "group"
}
excludeTarget = @{
Id = "00000000-0000-0000-0000-000000000000"
TargetType = "group"
}
}
CompanionAppAllowedState = @{
state = "Enabled"
includeTarget = @{
Id = "all_users"
TargetType = "group"
}
excludeTarget = @{
Id = "00000000-0000-0000-0000-000000000000"
TargetType = "group"
}
}
}
}
$authenticationMethodConfigurationId = "MicrosoftAuthenticator"
Update-MgPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration -AuthenticationMethodConfigurationId $authenticationMethodConfigurationId -BodyParameter $params |
|
We are not able to reproduce. We used the configuration you provided in the first post above and were successful in deploying it without errors on multiple environments. Do you have repro steps on other tenants by any chance? Thanks |
|
Thank you for investigating this issue. Response to your request for informationI tried using the same initial DSC config on a new tenant and this failed for me with the same errors "Persistance of policy failed with error: Microsoft Authenticator's number matching feature can no longer be toggled as part of featureSettings." Further TroubleshootingI removed all traces of DSC module and updated to the latest version 1.23.621.1 The DSC configuration that is used to reproduce the issue# Generated with Microsoft365DSC version 1.23.621.1
# For additional information on how to use Microsoft365DSC, please visit https://aka.ms/M365DSC
param (
[parameter()]
[System.Management.Automation.PSCredential]
$Credential
)
Configuration M365TenantConfig
{
param (
[parameter()]
[System.Management.Automation.PSCredential]
$Credential
)
if ($null -eq $Credential)
{
<# Credentials #>
$Credscredential = Get-Credential -Message "Credentials"
}
else
{
$CredsCredential = $Credential
}
$OrganizationName = $CredsCredential.UserName.Split('@')[1]
Import-DscResource -ModuleName 'Microsoft365DSC' -ModuleVersion '1.23.621.1'
Node localhost
{
AADAuthenticationMethodPolicyAuthenticator "AADAuthenticationMethodPolicyAuthenticator-MicrosoftAuthenticator"
{
Credential = $Credscredential;
Ensure = "Present";
FeatureSettings = MSFT_MicrosoftGraphmicrosoftAuthenticatorFeatureSettings{
DisplayLocationInformationRequiredState = MSFT_MicrosoftGraphAuthenticationMethodFeatureConfiguration{
ExcludeTarget = MSFT_AADAuthenticationMethodPolicyAuthenticatorFeatureTarget{
Id = '00000000-0000-0000-0000-000000000000'
TargetType = 'group'
}
IncludeTarget = MSFT_AADAuthenticationMethodPolicyAuthenticatorFeatureTarget{
Id = 'all_users'
TargetType = 'group'
}
State = 'enabled'
}
NumberMatchingRequiredState = MSFT_MicrosoftGraphAuthenticationMethodFeatureConfiguration{
ExcludeTarget = MSFT_AADAuthenticationMethodPolicyAuthenticatorFeatureTarget{
Id = '00000000-0000-0000-0000-000000000000'
TargetType = 'group'
}
IncludeTarget = MSFT_AADAuthenticationMethodPolicyAuthenticatorFeatureTarget{
Id = 'all_users'
TargetType = 'group'
}
State = 'enabled'
}
CompanionAppAllowedState = MSFT_MicrosoftGraphAuthenticationMethodFeatureConfiguration{
ExcludeTarget = MSFT_AADAuthenticationMethodPolicyAuthenticatorFeatureTarget{
Id = '00000000-0000-0000-0000-000000000000'
TargetType = 'group'
}
IncludeTarget = MSFT_AADAuthenticationMethodPolicyAuthenticatorFeatureTarget{
Id = 'all_users'
TargetType = 'group'
}
State = 'enabled'
}
DisplayAppInformationRequiredState = MSFT_MicrosoftGraphAuthenticationMethodFeatureConfiguration{
ExcludeTarget = MSFT_AADAuthenticationMethodPolicyAuthenticatorFeatureTarget{
Id = '00000000-0000-0000-0000-000000000000'
TargetType = 'group'
}
IncludeTarget = MSFT_AADAuthenticationMethodPolicyAuthenticatorFeatureTarget{
Id = 'all_users'
TargetType = 'group'
}
State = 'enabled'
}
};
Id = "MicrosoftAuthenticator";
IncludeTargets = @(
MSFT_AADAuthenticationMethodPolicyAuthenticatorIncludeTarget{
Id = 'all_users'
TargetType = 'group'
}
);
IsSoftwareOathEnabled = $False;
State = "enabled";
}
}
}
M365TenantConfig -ConfigurationData .\ConfigurationData.psd1 -Credential $CredentialFurther InformationI am surprised you cannot reproduce this issue as it appears to be an error reoprted by the "Update-MgPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration" cmdlet used in the DSC module "MSFT_AADAuthenticationMethodPolicyAuthenticator.psm1" You can reproduce the MSGraph error by using the following code: Connect-MgGraph -Scopes "Policy.Read.All","Policy.ReadWrite.AuthenticationMethod"
$authenticationMethodConfigurationId = "MicrosoftAuthenticator"
$params = @{
"@odata.type" = "#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration"
state = "Enabled"
isSoftwareOathEnabled = $True
featureSettings = @{
"@odata.type" = "microsoft.graph.microsoftAuthenticatorFeatureSettings"
displayAppInformationRequiredState = @{
state = "Enabled"
includeTarget = @{
Id = "all_users"
TargetType = "group"
}
excludeTarget = @{
Id = "00000000-0000-0000-0000-000000000000"
TargetType = "group"
}
}
displayLocationInformationRequiredState = @{
state = "Enabled"
includeTarget = @{
Id = "all_users"
TargetType = "group"
}
excludeTarget = @{
Id = "00000000-0000-0000-0000-000000000000"
TargetType = "group"
}
}
CompanionAppAllowedState = @{
state = "Enabled"
includeTarget = @{
Id = "all_users"
TargetType = "group"
}
excludeTarget = @{
Id = "00000000-0000-0000-0000-000000000000"
TargetType = "group"
}
}
NumberMatchingRequiredState = @{
state = "Enabled"
includeTarget = @{
Id = "all_users"
TargetType = "group"
}
excludeTarget = @{
Id = "00000000-0000-0000-0000-000000000000"
TargetType = "group"
}
}
}
}
Update-MgPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration -AuthenticationMethodConfigurationId $authenticationMethodConfigurationId -BodyParameter $params |
|
Ok, we were able to replicate by removing all other feature settings and keeping only this one. We will publish a fix that will ignore this feature in the export flow and that will ignore error in the SET. |
Details of the scenario you tried and the problem that is occurring
Attempting to enable and configure Microsoft Authenticator policy under Authentication Methods
Verbose logs showing the problem
VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = SendConfigurationApply,'className' = MSFT_DSCLocalConfigurationManager,'namespace
Name' = root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer XXX with user sid S-XXX.
VERBOSE: []: LCM: [ Start Set ]
VERBOSE: []: LCM: [ Start Resource ] [[AADAuthenticationMethodPolicyAuthenticator]AADAuthenticationMethodPolicyAuthenticator-MicrosoftAuthenticator]
VERBOSE: []: LCM: [ Start Test ] [[AADAuthenticationMethodPolicyAuthenticator]AADAuthenticationMethodPolicyAuthenticator-MicrosoftAuthenticator]
VERBOSE: []: [[AADAuthenticationMethodPolicyAuthenticator]AADAuthenticationMethodPolicyAuthenticator-MicrosoftAuthenticator] Testin
g configuration of the Azure AD Authentication Method Policy Authenticator with Id {MicrosoftAuthenticator}
VERBOSE: []: [[AADAuthenticationMethodPolicyAuthenticator]AADAuthenticationMethodPolicyAuthenticator-MicrosoftAuthenticator] An Azure AD Authentication Method Policy Authenticator with Id {MicrosoftAuthenticator} was found.
VERBOSE: []: [[AADAuthenticationMethodPolicyAuthenticator]AADAuthenticationMethodPolicyAuthenticator-MicrosoftAuthenticator] Current Values: ApplicationId=***
ApplicationSecret=$null
CertificateThumbprint=***
Credential=$null
Ensure=Present
ExcludeTargets=()
FeatureSettings={CompanionAppAllowedState={ExcludeTarget={Id=00000000-0000-0000-0000-000000000000
TargetType=group}
IncludeTarget={Id=all_users
TargetType=group}
State=default}
DisplayAppInformationRequiredState={ExcludeTarget={Id=00000000-0000-0000-0000-000000000000
TargetType=group}
IncludeTarget={Id=all_users
TargetType=group}
State=default}
DisplayLocationInformationRequiredState={ExcludeTarget={Id=00000000-0000-0000-0000-000000000000
TargetType=group}
IncludeTarget={Id=all_users
TargetType=group}
State=default}
NumberMatchingRequiredState={ExcludeTarget={Id=00000000-0000-0000-0000-000000000000
TargetType=group}
IncludeTarget={Id=all_users
TargetType=group}
State=enabled}}
Id=MicrosoftAuthenticator
IncludeTargets=({Id=all_users
TargetType=group})
IsSoftwareOathEnabled=True
Managedidentity=False
State=disabled
TenantId=***
VERBOSE: []: [[AADAuthenticationMethodPolicyAuthenticator]AADAuthenticationMethodPolicyAuthenticator-MicrosoftAuthenticator] Target Values: CertificateThumbprint=***
Ensure=Present
ExcludeTargets=({Id=Conditional Access - Exclude All; TargetType=group})
FeatureSettings={CompanionAppAllowedState=MSFT_MicrosoftGraphAuthenticationMethodFeatureConfiguration; DisplayAppInformationRequiredState=MSFT_MicrosoftGraphAuthenticationMethodFeatureConfiguration; DisplayLocationInformationRequiredState=MSFT_MicrosoftGraphAuthenticationMethodFeatureConfiguration; NumberMatchingRequiredState=MSFT_MicrosoftGraphAuthenticationMethodFeatureConfiguration}
IncludeTargets=({Id=all_users; TargetType=group})
IsSoftwareOathEnabled=True
State=enabled
Verbose=True
VERBOSE: []: [[AADAuthenticationMethodPolicyAuthenticator]AADAuthenticationMethodPolicyAuthenticator-MicrosoftAuthenticator] Test-TargetResource returned False
VERBOSE: []: LCM: [ End Test ] [[AADAuthenticationMethodPolicyAuthenticator]AADAuthenticationMethodPolicyAuthenticator-MicrosoftAuthenticator] in 20.8440 seconds.
VERBOSE: []: LCM: [ Start Set ] [[AADAuthenticationMethodPolicyAuthenticator]AADAuthenticationMethodPolicyAuthenticator-MicrosoftAuthenticator]
VERBOSE: []: [[AADAuthenticationMethodPolicyAuthenticator]AADAuthenticationMethodPolicyAuthenticator-MicrosoftAuthenticator] An Azure AD Authentication Method Policy Authenticator with Id {MicrosoftAuthenticator} was found.
VERBOSE: []: [[AADAuthenticationMethodPolicyAuthenticator]AADAuthenticationMethodPolicyAuthenticator-MicrosoftAuthenticator] Updating the Azure AD Authentication Method Policy Authenticator with Id {MicrosoftAuthenticator}
You cannot call a method on a null-valued expression.
+ CategoryInfo : InvalidOperation: (:) [], CimException
+ FullyQualifiedErrorId : InvokeMethodOnNull
+ PSComputerName : localhost
Persistance of policy failed with error: Microsoft Authenticator's number matching feature can no longer be toggled as part of featureSettings. Documentation can be found here: https://aka.ms/numbermatchdoc
+ CategoryInfo : InvalidOperation: ({ Authenticatio...Configuration }:) [], CimException
+ FullyQualifiedErrorId : badRequest,Microsoft.Graph.PowerShell.Cmdlets.UpdateMgPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration_Update
+ PSComputerName : localhost
VERBOSE: []: LCM: [ End Set ] [[AADAuthenticationMethodPolicyAuthenticator]AADAuthenticationMethodPolicyAuthenticator-MicrosoftAuthenticator] in 8.1520 seconds.
The PowerShell DSC resource '[AADAuthenticationMethodPolicyAuthenticator]AADAuthenticationMethodPolicyAuthenticator-MicrosoftAuthenticator' with SourceInfo 'C:\M365DSC\M365TenantConfig.ps1::17::9::AADAuthenticationMethodPolicyAuthenticator' threw one or more non-terminating errors while running the Set-TargetResource functionality. These errors are logged to the ETW channel called Microsoft-Windows-DSC/Operational. Refer to this channel for more details.
+ CategoryInfo : InvalidOperation: (:) [], CimException
+ FullyQualifiedErrorId : NonTerminatingErrorFromProvider
+ PSComputerName : localhost
VERBOSE: []: LCM: [ End Set ]
The SendConfigurationApply function did not succeed.
+ CategoryInfo : NotSpecified: (root/Microsoft/...gurationManager:String) [], CimException
+ FullyQualifiedErrorId : MI RESULT 1
+ PSComputerName : localhost
VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 30.866 seconds
Suggested solution to the issue
Going to need some logic to deal with the fact that when enabling the Microsoft Authenticator Policy the feature setting NumberMatchingRequiredState will be set to enabled by default and can no longer be toggled.
The DSC configuration that is used to reproduce the issue (as detailed as possible)
The operating system the target node is running
Attempted configuration from Windows 11 and Server Standard 2022 Core
Version of the DSC module that was used ('dev' if using current dev branch)
1.23.614.1
The text was updated successfully, but these errors were encountered: