New standard for QR code auth method disablement

kris6673 · kris6673 · commit 282623e8669f · 2025-02-12T17:57:16.000+01:00
diff --git a/Modules/CIPPCore/Public/Set-CIPPAuthenticationPolicy.ps1 b/Modules/CIPPCore/Public/Set-CIPPAuthenticationPolicy.ps1
@@ -109,8 +109,8 @@ function Set-CIPPAuthenticationPolicy {
         # QR code
         'QRCodePin' {
             if ($State -eq 'enabled') {
-                $CurrentInfo.pinLength = $QRCodePinLength
-                $CurrentInfo.standardQRCodeLifetimeInDays = $QRCodeLifetimeInDays
+                Write-LogMessage -headers $Headers -API $APIName -tenant $Tenant -message "Setting $AuthenticationMethodId to enabled is not allowed" -sev Error
+                throw "Setting $AuthenticationMethodId to enabled is not allowed"
             }
         }
         Default {
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableQRCodePin.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableQRCodePin.ps1
@@ -0,0 +1,56 @@
+function Invoke-CIPPStandardDisableQRCodePin {
+    <#
+    .FUNCTIONALITY
+        Internal
+    .COMPONENT
+        (APIName) DisableQRCodePin
+    .SYNOPSIS
+        (Label) Disables QR Code Pin as an MFA method
+    .DESCRIPTION
+        (Helptext) This blocks users from using QR Code Pin as an MFA method. If a user only has QR Code Pin as a MFA method, they will be unable to log in.
+        (DocsDescription) Disables QR Code Pin as an MFA method for the tenant. If a user only has QR Code Pin as a MFA method, they will be unable to sign in.
+    .NOTES
+        CAT
+            Entra (AAD) Standards
+        TAG
+            "highimpact"
+        ADDEDCOMPONENT
+        IMPACT
+            High Impact
+        POWERSHELLEQUIVALENT
+            Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration
+        RECOMMENDEDBY
+        UPDATECOMMENTBLOCK
+            Run the Tools\Update-StandardsComments.ps1 script to update this comment block
+    .LINK
+        https://docs.cipp.app/user-documentation/tenant/standards/list-standards/entra-aad-standards#high-impact
+    #>
+
+    param($Tenant, $Settings)
+
+    $CurrentState = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authenticationmethodspolicy/authenticationMethodConfigurations/QRCodePin' -tenantid $Tenant
+    $StateIsCorrect = ($CurrentState.state -eq 'disabled')
+
+    If ($Settings.remediate -eq $true) {
+        if ($StateIsCorrect -eq $true) {
+            Write-LogMessage -API 'Standards' -tenant $tenant -message 'QR Code Pin authentication method is already disabled.' -sev Info
+        } else {
+            try {
+                Set-CIPPAuthenticationPolicy -Tenant $tenant -APIName 'Standards' -AuthenticationMethodId 'QRCodePin' -Enabled $false
+            } catch {
+            }
+        }
+    }
+
+    if ($Settings.alert -eq $true) {
+        if ($StateIsCorrect -eq $true) {
+            Write-LogMessage -API 'Standards' -tenant $tenant -message 'QR Code Pin authentication method is not enabled' -sev Info
+        } else {
+            Write-LogMessage -API 'Standards' -tenant $tenant -message 'QR Code Pin authentication method is enabled' -sev Alert
+        }
+    }
+
+    if ($Settings.report -eq $true) {
+        Add-CIPPBPAField -FieldName 'DisableQRCodePin' -FieldValue $StateIsCorrect -StoreAs bool -Tenant $tenant
+    }
+}

Original file line number	Diff line number	Diff line change
`@@ -109,8 +109,8 @@ function Set-CIPPAuthenticationPolicy {`
`109`	`109`	`# QR code`
`110`	`110`	`'QRCodePin' {`
`111`	`111`	`if ($State -eq 'enabled') {`
`112`		`- $CurrentInfo.pinLength = $QRCodePinLength`
`113`		`- $CurrentInfo.standardQRCodeLifetimeInDays = $QRCodeLifetimeInDays`
	`112`	`+ Write-LogMessage -headers $Headers -API $APIName -tenant $Tenant -message "Setting $AuthenticationMethodId to enabled is not allowed" -sev Error`
	`113`	`+ throw "Setting $AuthenticationMethodId to enabled is not allowed"`
`114`	`114`	`}`
`115`	`115`	`}`
`116`	`116`	`Default {`