Skip to content

Commit a8e7aa5

Browse files
Feat: Add Email as alternate login ID standard (KelvinTegelaar#2075)
Frontend PR: KelvinTegelaar/CIPP#6106
2 parents 593911e + 1fc4263 commit a8e7aa5

1 file changed

Lines changed: 126 additions & 0 deletions

File tree

Lines changed: 126 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,126 @@
1+
function Invoke-CIPPStandardEmailAsAlternateLoginId {
2+
<#
3+
.FUNCTIONALITY
4+
Internal
5+
.COMPONENT
6+
(APIName) EmailAsAlternateLoginId
7+
.SYNOPSIS
8+
(Label) Configure Email as alternate login ID
9+
.DESCRIPTION
10+
(Helptext) Configures the tenant-wide Email as alternate login ID setting in Home Realm Discovery policy.
11+
(DocsDescription) Sets the Home Realm Discovery policy AlternateIdLogin setting to enable or disable using email as an alternate sign-in ID.
12+
.NOTES
13+
CAT
14+
Entra (AAD) Standards
15+
TAG
16+
EXECUTIVETEXT
17+
Controls whether users can sign in with email as an alternate identifier, allowing organizations to align sign-in behavior with their identity strategy and reduce authentication ambiguity.
18+
ADDEDCOMPONENT
19+
{"type":"switch","name":"standards.EmailAsAlternateLoginId.Enabled","label":"Enable Email as Alternate Login ID","defaultValue":false}
20+
IMPACT
21+
Medium Impact
22+
ADDEDDATE
23+
2026-06-03
24+
POWERSHELLEQUIVALENT
25+
Invoke-MgGraphRequest https://graph.microsoft.com/v1.0/policies/homeRealmDiscoveryPolicies/
26+
RECOMMENDEDBY
27+
"CIPP"
28+
UPDATECOMMENTBLOCK
29+
Run the Tools\Update-StandardsComments.ps1 script to update this comment block
30+
.LINK
31+
https://docs.cipp.app/user-documentation/tenant/standards/alignment/templates/available-standards
32+
#>
33+
34+
param($Tenant, $Settings)
35+
36+
$DesiredEnabledValue = $Settings.Enabled.value ?? $Settings.Enabled ?? $false
37+
$DesiredEnabled = if ($DesiredEnabledValue -is [bool]) {
38+
$DesiredEnabledValue
39+
} elseif ($DesiredEnabledValue -is [string]) {
40+
$DesiredEnabledValue -eq 'true'
41+
} else {
42+
[bool]$DesiredEnabledValue
43+
}
44+
$DesiredStatus = if ($DesiredEnabled) { 'enabled' } else { 'disabled' }
45+
46+
try {
47+
$Policies = @(New-GraphGetRequest -Uri 'https://graph.microsoft.com/v1.0/policies/homeRealmDiscoveryPolicies' -tenantid $Tenant)
48+
} catch {
49+
$ErrorMessage = Get-CippException -Exception $_
50+
Write-LogMessage -API 'Standards' -Tenant $Tenant -Message "Could not get the EmailAsAlternateLoginId state for $Tenant. Error: $($ErrorMessage.NormalizedError)" -Sev Error -LogData $ErrorMessage
51+
return
52+
}
53+
54+
$CurrentPolicy = @($Policies | Where-Object { $_.isOrganizationDefault -eq $true }) | Select-Object -First 1
55+
$CurrentDefinition = if ($CurrentPolicy.definition) {
56+
($CurrentPolicy.definition | Select-Object -First 1) | ConvertFrom-Json -ErrorAction SilentlyContinue
57+
} else {
58+
$null
59+
}
60+
$CurrentEnabledRaw = $CurrentDefinition.HomeRealmDiscoveryPolicy.AlternateIdLogin.Enabled
61+
$PolicyExists = $null -ne $CurrentPolicy
62+
$HasExplicitSetting = $null -ne $CurrentEnabledRaw
63+
$CurrentEnabled = if ($null -eq $CurrentEnabledRaw) { $false } else { [bool]$CurrentEnabledRaw }
64+
$StateIsCorrect = $PolicyExists -and $HasExplicitSetting -and ($CurrentEnabled -eq $DesiredEnabled)
65+
66+
$CurrentValue = [PSCustomObject]@{
67+
AlternateIdLoginEnabled = $CurrentEnabled
68+
PolicyExists = $PolicyExists
69+
HasExplicitSetting = $HasExplicitSetting
70+
}
71+
$ExpectedValue = [PSCustomObject]@{
72+
AlternateIdLoginEnabled = $DesiredEnabled
73+
PolicyExists = $true
74+
HasExplicitSetting = $true
75+
}
76+
77+
if ($Settings.remediate -eq $true) {
78+
if ($StateIsCorrect) {
79+
Write-LogMessage -API 'Standards' -tenant $Tenant -message "Email as alternate login ID is already $DesiredStatus." -sev Info
80+
} else {
81+
try {
82+
$PolicyDefinition = @{
83+
HomeRealmDiscoveryPolicy = @{
84+
AlternateIdLogin = @{
85+
Enabled = $DesiredEnabled
86+
}
87+
}
88+
} | ConvertTo-Json -Depth 10 -Compress
89+
90+
$Body = @{
91+
definition = @($PolicyDefinition)
92+
isOrganizationDefault = $true
93+
displayName = 'HomeRealmDiscoveryPolicy'
94+
} | ConvertTo-Json -Depth 10 -Compress
95+
96+
if ($PolicyExists) {
97+
$RequestUri = "https://graph.microsoft.com/v1.0/policies/homeRealmDiscoveryPolicies/$($CurrentPolicy.id)"
98+
$RequestType = 'PATCH'
99+
} else {
100+
$RequestUri = 'https://graph.microsoft.com/v1.0/policies/homeRealmDiscoveryPolicies/'
101+
$RequestType = 'POST'
102+
}
103+
104+
New-GraphPostRequest -tenantid $Tenant -Uri $RequestUri -Type $RequestType -Body $Body | Out-Null
105+
Write-LogMessage -API 'Standards' -tenant $Tenant -message "Set Email as alternate login ID to $DesiredStatus." -sev Info
106+
} catch {
107+
$ErrorMessage = Get-CippException -Exception $_
108+
Write-LogMessage -API 'Standards' -tenant $Tenant -message "Failed to set Email as alternate login ID to $DesiredStatus. Error: $($ErrorMessage.NormalizedError)" -sev Error -LogData $ErrorMessage
109+
}
110+
}
111+
}
112+
113+
if ($Settings.alert -eq $true) {
114+
if ($StateIsCorrect) {
115+
Write-LogMessage -API 'Standards' -tenant $Tenant -message "Email as alternate login ID is $DesiredStatus." -sev Info
116+
} else {
117+
Write-StandardsAlert -message "Email as alternate login ID is not $DesiredStatus." -object $CurrentValue -tenant $Tenant -standardName 'EmailAsAlternateLoginId' -standardId $Settings.standardId
118+
Write-LogMessage -API 'Standards' -tenant $Tenant -message "Email as alternate login ID is not $DesiredStatus." -sev Info
119+
}
120+
}
121+
122+
if ($Settings.report -eq $true) {
123+
Set-CIPPStandardsCompareField -FieldName 'standards.EmailAsAlternateLoginId' -CurrentValue $CurrentValue -ExpectedValue $ExpectedValue -TenantFilter $Tenant
124+
Add-CIPPBPAField -FieldName 'EmailAsAlternateLoginId' -FieldValue $StateIsCorrect -StoreAs bool -Tenant $Tenant
125+
}
126+
}

0 commit comments

Comments
 (0)