|
| 1 | +function Invoke-CIPPStandardEmailAsAlternateLoginId { |
| 2 | + <# |
| 3 | + .FUNCTIONALITY |
| 4 | + Internal |
| 5 | + .COMPONENT |
| 6 | + (APIName) EmailAsAlternateLoginId |
| 7 | + .SYNOPSIS |
| 8 | + (Label) Configure Email as alternate login ID |
| 9 | + .DESCRIPTION |
| 10 | + (Helptext) Configures the tenant-wide Email as alternate login ID setting in Home Realm Discovery policy. |
| 11 | + (DocsDescription) Sets the Home Realm Discovery policy AlternateIdLogin setting to enable or disable using email as an alternate sign-in ID. |
| 12 | + .NOTES |
| 13 | + CAT |
| 14 | + Entra (AAD) Standards |
| 15 | + TAG |
| 16 | + EXECUTIVETEXT |
| 17 | + Controls whether users can sign in with email as an alternate identifier, allowing organizations to align sign-in behavior with their identity strategy and reduce authentication ambiguity. |
| 18 | + ADDEDCOMPONENT |
| 19 | + {"type":"switch","name":"standards.EmailAsAlternateLoginId.Enabled","label":"Enable Email as Alternate Login ID","defaultValue":false} |
| 20 | + IMPACT |
| 21 | + Medium Impact |
| 22 | + ADDEDDATE |
| 23 | + 2026-06-03 |
| 24 | + POWERSHELLEQUIVALENT |
| 25 | + Invoke-MgGraphRequest https://graph.microsoft.com/v1.0/policies/homeRealmDiscoveryPolicies/ |
| 26 | + RECOMMENDEDBY |
| 27 | + "CIPP" |
| 28 | + UPDATECOMMENTBLOCK |
| 29 | + Run the Tools\Update-StandardsComments.ps1 script to update this comment block |
| 30 | + .LINK |
| 31 | + https://docs.cipp.app/user-documentation/tenant/standards/alignment/templates/available-standards |
| 32 | + #> |
| 33 | + |
| 34 | + param($Tenant, $Settings) |
| 35 | + |
| 36 | + $DesiredEnabledValue = $Settings.Enabled.value ?? $Settings.Enabled ?? $false |
| 37 | + $DesiredEnabled = if ($DesiredEnabledValue -is [bool]) { |
| 38 | + $DesiredEnabledValue |
| 39 | + } elseif ($DesiredEnabledValue -is [string]) { |
| 40 | + $DesiredEnabledValue -eq 'true' |
| 41 | + } else { |
| 42 | + [bool]$DesiredEnabledValue |
| 43 | + } |
| 44 | + $DesiredStatus = if ($DesiredEnabled) { 'enabled' } else { 'disabled' } |
| 45 | + |
| 46 | + try { |
| 47 | + $Policies = @(New-GraphGetRequest -Uri 'https://graph.microsoft.com/v1.0/policies/homeRealmDiscoveryPolicies' -tenantid $Tenant) |
| 48 | + } catch { |
| 49 | + $ErrorMessage = Get-CippException -Exception $_ |
| 50 | + Write-LogMessage -API 'Standards' -Tenant $Tenant -Message "Could not get the EmailAsAlternateLoginId state for $Tenant. Error: $($ErrorMessage.NormalizedError)" -Sev Error -LogData $ErrorMessage |
| 51 | + return |
| 52 | + } |
| 53 | + |
| 54 | + $CurrentPolicy = @($Policies | Where-Object { $_.isOrganizationDefault -eq $true }) | Select-Object -First 1 |
| 55 | + $CurrentDefinition = if ($CurrentPolicy.definition) { |
| 56 | + ($CurrentPolicy.definition | Select-Object -First 1) | ConvertFrom-Json -ErrorAction SilentlyContinue |
| 57 | + } else { |
| 58 | + $null |
| 59 | + } |
| 60 | + $CurrentEnabledRaw = $CurrentDefinition.HomeRealmDiscoveryPolicy.AlternateIdLogin.Enabled |
| 61 | + $PolicyExists = $null -ne $CurrentPolicy |
| 62 | + $HasExplicitSetting = $null -ne $CurrentEnabledRaw |
| 63 | + $CurrentEnabled = if ($null -eq $CurrentEnabledRaw) { $false } else { [bool]$CurrentEnabledRaw } |
| 64 | + $StateIsCorrect = $PolicyExists -and $HasExplicitSetting -and ($CurrentEnabled -eq $DesiredEnabled) |
| 65 | + |
| 66 | + $CurrentValue = [PSCustomObject]@{ |
| 67 | + AlternateIdLoginEnabled = $CurrentEnabled |
| 68 | + PolicyExists = $PolicyExists |
| 69 | + HasExplicitSetting = $HasExplicitSetting |
| 70 | + } |
| 71 | + $ExpectedValue = [PSCustomObject]@{ |
| 72 | + AlternateIdLoginEnabled = $DesiredEnabled |
| 73 | + PolicyExists = $true |
| 74 | + HasExplicitSetting = $true |
| 75 | + } |
| 76 | + |
| 77 | + if ($Settings.remediate -eq $true) { |
| 78 | + if ($StateIsCorrect) { |
| 79 | + Write-LogMessage -API 'Standards' -tenant $Tenant -message "Email as alternate login ID is already $DesiredStatus." -sev Info |
| 80 | + } else { |
| 81 | + try { |
| 82 | + $PolicyDefinition = @{ |
| 83 | + HomeRealmDiscoveryPolicy = @{ |
| 84 | + AlternateIdLogin = @{ |
| 85 | + Enabled = $DesiredEnabled |
| 86 | + } |
| 87 | + } |
| 88 | + } | ConvertTo-Json -Depth 10 -Compress |
| 89 | + |
| 90 | + $Body = @{ |
| 91 | + definition = @($PolicyDefinition) |
| 92 | + isOrganizationDefault = $true |
| 93 | + displayName = 'HomeRealmDiscoveryPolicy' |
| 94 | + } | ConvertTo-Json -Depth 10 -Compress |
| 95 | + |
| 96 | + if ($PolicyExists) { |
| 97 | + $RequestUri = "https://graph.microsoft.com/v1.0/policies/homeRealmDiscoveryPolicies/$($CurrentPolicy.id)" |
| 98 | + $RequestType = 'PATCH' |
| 99 | + } else { |
| 100 | + $RequestUri = 'https://graph.microsoft.com/v1.0/policies/homeRealmDiscoveryPolicies/' |
| 101 | + $RequestType = 'POST' |
| 102 | + } |
| 103 | + |
| 104 | + New-GraphPostRequest -tenantid $Tenant -Uri $RequestUri -Type $RequestType -Body $Body | Out-Null |
| 105 | + Write-LogMessage -API 'Standards' -tenant $Tenant -message "Set Email as alternate login ID to $DesiredStatus." -sev Info |
| 106 | + } catch { |
| 107 | + $ErrorMessage = Get-CippException -Exception $_ |
| 108 | + Write-LogMessage -API 'Standards' -tenant $Tenant -message "Failed to set Email as alternate login ID to $DesiredStatus. Error: $($ErrorMessage.NormalizedError)" -sev Error -LogData $ErrorMessage |
| 109 | + } |
| 110 | + } |
| 111 | + } |
| 112 | + |
| 113 | + if ($Settings.alert -eq $true) { |
| 114 | + if ($StateIsCorrect) { |
| 115 | + Write-LogMessage -API 'Standards' -tenant $Tenant -message "Email as alternate login ID is $DesiredStatus." -sev Info |
| 116 | + } else { |
| 117 | + Write-StandardsAlert -message "Email as alternate login ID is not $DesiredStatus." -object $CurrentValue -tenant $Tenant -standardName 'EmailAsAlternateLoginId' -standardId $Settings.standardId |
| 118 | + Write-LogMessage -API 'Standards' -tenant $Tenant -message "Email as alternate login ID is not $DesiredStatus." -sev Info |
| 119 | + } |
| 120 | + } |
| 121 | + |
| 122 | + if ($Settings.report -eq $true) { |
| 123 | + Set-CIPPStandardsCompareField -FieldName 'standards.EmailAsAlternateLoginId' -CurrentValue $CurrentValue -ExpectedValue $ExpectedValue -TenantFilter $Tenant |
| 124 | + Add-CIPPBPAField -FieldName 'EmailAsAlternateLoginId' -FieldValue $StateIsCorrect -StoreAs bool -Tenant $Tenant |
| 125 | + } |
| 126 | +} |
0 commit comments