Skip to content

New-DuoPolicy

SYNOPSIS

Creates a new custom policy with specified parameters.

SYNTAX

New-DuoPolicy [-ApiHostname] <String> [-Credential] <PSCredential> [-Name] <String> [[-AffectAllApps] <String>]
 [[-ApplyList] <Array>] [[-ReplaceList] <Array>] [[-UnassignList] <Array>] [[-ApplyGroupPolicyList] <Array>]
 [[-GroupPolicyApplyOrder] <String>] [[-ReplaceGroupPolicyList] <Array>] [[-UnassignGroupPolicyList] <Array>]
 [[-AnonymousAccessBehavior] <String>] [[-AllowedAuthList] <Array>] [-AutoRetrySms]
 [[-BlockedAuthList] <Array>] [-RequireVerifiedPush] [[-VerifiedPushDigits] <Int32>]
 [[-UserAuthBehavior] <String>] [[-NoMfaRequiredIpList] <Array>] [-RequireEnrollment]
 [[-MfaRequiredIpList] <Array>] [-DenyOtherAccess] [[-AllowedBrowsersList] <Array>]
 [[-BlockedBrowsersList] <Array>] [[-OutOfDateBehavior] <String>] [[-BrowserMaxOutOfDateDays] <Int32>]
 [[-RequiresDha] <Array>] [[-PromptToInstallDha] <Array>] [[-EnforceFirewall] <Array>]
 [[-EnforceEncryption] <Array>] [[-EnforceSystemPassword] <Array>] [[-MacOsEndpointSecurityList] <Array>]
 [[-MacOsRemediationNote] <String>] [[-WindowsEndpointSecurityList] <Array>]
 [[-WindowsRemediationNote] <String>] [-RequireDuoAppUpdates] [-RequiresFullDiskEncryption]
 [-RequiresMobileDeviceBiometrics] [[-NewUserBehavior] <String>] [[-AllowUnrestrictedOsList] <Array>]
 [[-BlockOsList] <Array>] [[-OperatingSystemToRestrict] <String>] [[-OsWarnPolicy] <String>]
 [[-OsWarnVersion] <String>] [[-OsWarnRemediationDays] <String>] [[-OsBlockPolicy] <String>]
 [[-OsBlockVersion] <String>] [[-OsBlockRemediationDays] <String>] [[-FlashPlugin] <String>]
 [[-JavaPlugin] <String>] [[-JavaMaxOutOfDateDays] <String>] [-BrowserAppsEnabled]
 [[-BrowserAppsRememberMethod] <String>] [-BrowserAppsUserBasedConfirmPerApp]
 [[-BrowserAppsUserBasedMaxTimeUnits] <String>] [[-BrowserAppsUserBasedMaxTimeValue] <Int32>]
 [[-BrowserAppsRiskBasedMaxTimeUnits] <String>] [[-BrowserAppsRiskBasedMaxTimeValue] <Int32>]
 [-WindowsLogonEnabled] [[-WindowsLogonMaxTimeUnits] <String>] [[-WindowsLogonMaxTimeValue] <Int32>]
 [-LimitToRiskBasedAuthMethods] [[-RiskBasedVerifiedPushDigits] <Int32>] [-RequiresScreenLock]
 [-BlockTamperedDevices] [[-TrustedEndpointChecking] <String>] [-CiscoSecureEndpointCanBlock]
 [[-TrustedEndpointCheckingMobile] <String>] [[-RequireMfaCountriesList] <Array>]
 [[-DenyAccessCountriesList] <Array>] [[-AllowAccessNoMfaCountriesList] <Array>]
 [[-IgnoreLocationCountriesList] <Array>] [[-DefaultAction] <String>] [[-AccountId] <String>]
 [-ProgressAction <ActionPreference>] [-WhatIf] [-Confirm] [<CommonParameters>]

DESCRIPTION

Creates a new custom policy with specified parameters.

EXAMPLES

EXAMPLE 1

New-DUOPolicy -Name "MyNewPolicy" -ApiHostname $ApiHostname -Credential $Credential -AccountId "AALSFLAJFKS5AJLKDJ55LA5KS"

PARAMETERS

-ApiHostname

Target API hostname E.g. api-XXXXXXXX.duosecurity.com

Type: String
Parameter Sets: (All)
Aliases:

Required: True
Position: 1
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-Credential

PSCredential containing IKEY as username and SKEY as securestring

Type: PSCredential
Parameter Sets: (All)
Aliases:

Required: True
Position: 2
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-Name

The name of the policy to create. Policy names do not have to be unique.

The name parameter may be used instead, but it will be deprecated in a future release. Please use policy_name for best results.

Type: String
Parameter Sets: (All)
Aliases:

Required: True
Position: 3
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-AffectAllApps

Values are one of: inactive - (default) Use _list keys to specify how policy is applied. replace-policy - Apply this policy to all apps, replacing any existing policy. apply-policy - Apply this policy to all apps that don't have a policy applied already. unassign-policy - Remove this policy from all apps to which it is applied. Warning: Setting this key to any value other than inactive will make changes to all your applications.

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: 4
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-ApplyList

An array of apps (specified with app_integration_key) to which to apply this policy. If an app in the list has another policy applied, that policy is kept.

Type: Array
Parameter Sets: (All)
Aliases:

Required: False
Position: 5
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-ReplaceList

The array of applications (specified with app_integration_key) to which to apply this policy. Warning: If the policy is already applied to applications not in the list, it will be removed from those applications.

Type: Array
Parameter Sets: (All)
Aliases:

Required: False
Position: 6
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-UnassignList

An array of apps (specified with integration_key) from which to remove this policy. If an app in the list has another policy applied, that policy is kept.

Type: Array
Parameter Sets: (All)
Aliases:

Required: False
Position: 7
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-ApplyGroupPolicyList

A set of groups (specified with group_id_list) to which to apply this policy.

Type: Array
Parameter Sets: (All)
Aliases:

Required: False
Position: 8
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-GroupPolicyApplyOrder

Values are one of: existing - (default) If the group policy being applied already exists for this application, keep its place in the stack. If it doesn't exist, add it to the top of the stack. top - Place this policy on the top of the group policy stack. bottom - Place this policy on the bottom of the group policy stack.

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: 9
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-ReplaceGroupPolicyList

A set of groups (specified with group_id_list) to which to apply this policy. If you specify a blank array ([]) as a value, all groups applied to this policy in this app will be replaced with nothing (that is, unassigned).

Type: Array
Parameter Sets: (All)
Aliases:

Required: False
Position: 10
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-UnassignGroupPolicyList

A set of groups (specified with group_id_list) from which to remove this policy.

Type: Array
Parameter Sets: (All)
Aliases:

Required: False
Position: 11
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-AnonymousAccessBehavior

Defines what happens when a user on an anonymous network attempts to access resources. One of no-action (default), require-mfa, or deny.

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: 12
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-AllowedAuthList

Comma-separated list of allowed authentication methods. The list defaults to: duo-push, hardware-token, webauthn-platform, webauthn-roaming, and sms. If Duo Passwordless is turned on for your account, there are three additional authentication methods available: duo-push-pwl, webauthn-platform-pwl, and webauthn-roaming-pwl.

Type: Array
Parameter Sets: (All)
Aliases:

Required: False
Position: 13
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-AutoRetrySms

Is true if a new SMS passcode will be sent up to 3 times when delivery fails. Otherwise false (default). Any retries will use additional telephony credits

Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-BlockedAuthList

Comma-separated list of blocked authentication methods. The list defaults to: duo-passcode and phonecall

Type: Array
Parameter Sets: (All)
Aliases:

Required: False
Position: 14
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-RequireVerifiedPush

Is true (default) if the user logging in must verify the push by entering the number provided on their authentication device. Otherwise false. Applies if duo-push is in the allowed_auth_list.

Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-VerifiedPushDigits

The number of digits a verified push requires the user to enter. An integer between 3 and 6, inclusive. Defaults to 3

Type: Int32
Parameter Sets: (All)
Aliases:

Required: False
Position: 15
Default value: 0
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-UserAuthBehavior

Defines the behavior when a user authenticates. One of: enforce (default): Requires 2FA or enrollment when applicable, unless another policy supersedes it. bypass: Skips 2FA and enrollment, unless another policy supersedes it. deny: Denies authentication to all users. Affects all users when enabled.

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: 16
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-NoMfaRequiredIpList

Comma-separated list of public IP addresses for which 2FA is not required. IP address lists can contain individual IPs, IP ranges and IP ranges in CIDR notation. Example: ["192.0.2.8", "198.51.100.0-198.51.100.20", "203.0.113.0/24"]

Type: Array
Parameter Sets: (All)
Aliases:

Required: False
Position: 17
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-RequireEnrollment

Is true (default) if users logging in from these IP addresses must enroll in Duo. Otherwise false. At least one value must be in the ip_list to change this value.

Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-MfaRequiredIpList

Comma-separated list of public IP addresses for which MFA is required. IP address lists can contain individual IPs, IP ranges and IP ranges in CIDR notation. Example: ["192.0.2.8", "198.51.100.0-198.51.100.20", "203.0.113.0/24"]

Type: Array
Parameter Sets: (All)
Aliases:

Required: False
Position: 18
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-DenyOtherAccess

Is true if users must log in from IP addresses listed in one of the ip_list keys above. Otherwise false (default). At least one IP address must be in either of the ip_list keys above to change this value. This key is available in the Premier and Advantage editions.

Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-AllowedBrowsersList

Comma-separated list of allowed browsers. Default behavior permits all browsers.

Type: Array
Parameter Sets: (All)
Aliases:

Required: False
Position: 19
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-BlockedBrowsersList

Comma-separated list of blocked browsers. Default: none.

Type: Array
Parameter Sets: (All)
Aliases:

Required: False
Position: 20
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-OutOfDateBehavior

Value is one of warn-only, warn-and-block, or no-remediation (default). This affects all browsers in the allowed_browsers_list.

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: 21
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-BrowserMaxOutOfDateDays

The number of days that a browser may be out of date before access to it is blocked (out_of_date_behavior must be warn-and-block for the browser to be blocked). Value is one of 0, 14, 30 (default), 60, 90, 180, or 365. Other values are invalid.

Type: Int32
Parameter Sets: (All)
Aliases:

Required: False
Position: 22
Default value: 0
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-RequiresDha

Comma-separated list of operating systems that require the Duo Device Health App (one or more of macos or windows). Listing an operating system here is the equivalent of setting "Enforcing" for that OS when editing a policy in the Admin Panel

Type: Array
Parameter Sets: (All)
Aliases:

Required: False
Position: 23
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-PromptToInstallDha

Comma-separated list of operating systems that will prompt to install the Duo Device Health App during enrollment (one or more of macos or windows).

Type: Array
Parameter Sets: (All)
Aliases:

Required: False
Position: 24
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-EnforceFirewall

Comma-separated list of operating systems that will require a firewall to be active (one or more of macos or windows). This key is available in the Premier and Advantage editions.

Type: Array
Parameter Sets: (All)
Aliases:

Required: False
Position: 25
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-EnforceEncryption

Comma-separated list of operating systems that will require the hard drive to be encrypted (one or more of macos or windows). This key is available in the Premier and Advantage editions.

Type: Array
Parameter Sets: (All)
Aliases:

Required: False
Position: 26
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-EnforceSystemPassword

Comma-separated list of operating systems that will require a system password to be set (one or more of macos or windows). This key is available in the Premier and Advantage editions.

Type: Array
Parameter Sets: (All)
Aliases:

Required: False
Position: 27
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-MacOsEndpointSecurityList

Comma-separated list of Duo-supported endpoint security agents that are allowed. For agents in this list, the app will block access unless one of those agents is running. A complete list of macOS security agents is available in a drop-down when editing the policy in the Admin Panel. This key is available in the Premier edition.

Type: Array
Parameter Sets: (All)
Aliases:

Required: False
Position: 28
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-MacOsRemediationNote

A text note (max 700 characters) with remediation instructions when an end user is blocked. This key is available in the Premier edition.

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: 29
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-WindowsEndpointSecurityList

omma-separated list of Duo-supported endpoint security agents that are allowed. For agents in this list, the app will block access unless one of those agents is running. A complete list of Windows security agents is available in a drop-down when editing the policy in the Admin Panel. This key is available in the Premier edition.

Type: Array
Parameter Sets: (All)
Aliases:

Required: False
Position: 30
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-WindowsRemediationNote

A text note (max 700 characters) with remediation instructions when an end user is blocked. This key is available in the Premier edition.

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: 31
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-RequireDuoAppUpdates

Is true (default) if the Duo Mobile app must have up-to-date security patches. Otherwise false.

Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-RequiresFullDiskEncryption

Is true if the device used for authentication requires full-disk encryption. Otherwise false (default).

Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-RequiresMobileDeviceBiometrics

Is true if the mobile device used to authenticate requires Apple Touch ID, Face ID, or Android Fingerprint as additional verification when approving Duo Push login requests. Otherwise false (default).

Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-NewUserBehavior

Controls what happens after an unenrolled user passes primary authentication. One of: enroll (default): Require the user to enroll whenever possible. no-mfa: MFA is not required for unknown users; unenrolled users must enroll. deny: Denies authentication to unenrolled users.

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: 32
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-AllowUnrestrictedOsList

Comma-separated list of operating systems that are allowed with no constraints or warnings. AllowUnrestrictedOsList and BlockOsList must not contain the same values.

Type: Array
Parameter Sets: (All)
Aliases:

Required: False
Position: 33
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-BlockOsList

Comma-separated list of operating systems that are not allowed. AllowUnrestrictedOsList and BlockOsList must not contain the same values. Blocked Android or iOS versions will not be able to authenticate using Duo Push or Duo Mobile passcodes.

Type: Array
Parameter Sets: (All)
Aliases:

Required: False
Position: 34
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-OperatingSystemToRestrict

Operating systems that can be further restricted: android, ios, macos, and windows.

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: 35
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-OsWarnPolicy

Indicates when the user should be warned that their OS is out of date. Value is one of: no-remediation (default): No version checking; equivalent to "Never" when editing the policy in the UI. end-of-life: OS vendor no longer releases security updates. not-up-to-date: OS is not at the most recent patch release version. less-than-latest: OS is not at the most recently released version. less-than-version: OS is older than the version specified in warn_version.

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: 36
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-OsWarnVersion

The specific OS version (from the list in the edit policy UI) subject to the out-of-date warning. Applicable only if warn_policy is less-than-version.

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: 37
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-OsWarnRemediationDays

Number of days that the user will be warned. Value is one of 0, 14, 30 (default), 60, 90, 180, or 365.

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: 38
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-OsBlockPolicy

Indicates when the user will be blocked from access. Values are the same as warn_policy.

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: 39
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-OsBlockVersion

The specific OS version (from the list in the edit policy UI) that is being blocked. Values are the same as warn_version. Applicable only if block_policy is less-than-version.

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: 40
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-OsBlockRemediationDays

Number of days before the user will be blocked. Values are the same as warn_remediation_days.

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: 41
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-FlashPlugin

Specify how Flash plugins are treated. Value is one of allow-all or block-all (default).

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: 42
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-JavaPlugin

Specify how Java plugins are treated. Value is one of: allow-all: No restrictions. warn-only (default): Warn if plugin is out of date. warn-and-block: warn if out of date; block after java_max_ood_days. block-all: Blocked; no access.

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: 43
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-JavaMaxOutOfDateDays

The number of days that Java plugins may be out of date before access is blocked (java must be warn-and-block for the plugin to be blocked). Value is one of 0, 14, 30 (default), 60, 90, 180, or 365. Other values are invalid.

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: 44
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-BrowserAppsEnabled

Is true if devices are remembered for browser-based apps. Otherwise false (default).

Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-BrowserAppsRememberMethod

One of user-based (default) or risk-based. risk-based only available in the Premier and Advantage editions.

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: 45
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-BrowserAppsUserBasedConfirmPerApp

s true if the user must confirm for each browser-based app separately. Otherwise false (default).

Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-BrowserAppsUserBasedMaxTimeUnits

One of days or hours (default).

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: 46
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-BrowserAppsUserBasedMaxTimeValue

If max_time_units is set to: days: an integer 1 to 365, inclusive. hours: an integer 1 to 8760, inclusive. Defaults to 12.

Type: Int32
Parameter Sets: (All)
Aliases:

Required: False
Position: 47
Default value: 0
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-BrowserAppsRiskBasedMaxTimeUnits

One of days or hours (default).

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: 48
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-BrowserAppsRiskBasedMaxTimeValue

If max_time_units is set to: days: an integer 1 to 365, inclusive. hours: an integer 1 to 8760, inclusive. Defaults to 30.

Type: Int32
Parameter Sets: (All)
Aliases:

Required: False
Position: 49
Default value: 0
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-WindowsLogonEnabled

Is true if devices are remembered for Windows Logon. Otherwise false (default). 2FA will be enforced after users sign out, reboot, or change networks.

Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-WindowsLogonMaxTimeUnits

One of days (default) or hours.

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: 50
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-WindowsLogonMaxTimeValue

If max_time_units is set to: days: an integer 1 to 365, inclusive. hours: an integer 1 to 8760, inclusive. Defaults to 30.

Type: Int32
Parameter Sets: (All)
Aliases:

Required: False
Position: 51
Default value: 0
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-LimitToRiskBasedAuthMethods

s true if the user is limited to risk-based authentication methods when Duo detects a higher-risk authentication. Otherwise false (default).

Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-RiskBasedVerifiedPushDigits

The number of digits a verified push requires the user logging in to enter. An integer between 3 and 6, inclusive. Defaults to 6.

Type: Int32
Parameter Sets: (All)
Aliases:

Required: False
Position: 52
Default value: 0
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-RequiresScreenLock

Is true (default) if the device must have a screen lock to be allowed for authentication. Otherwise false. Applies to iOS (8 and up) and Android.

Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-BlockTamperedDevices

Is true (default) if iOS or Android devices that are rooted or otherwise tampered with are not allowed for authentication. Otherwise false.

Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-TrustedEndpointChecking

Value is one of allow-all (default), require-trusted, or not-configured. Value will be not-configured if Trusted Endpoints management systems have not been configured. Trusted endpoints will still be checked for reporting purposes if allow-all is set, but untrusted endpoints will be allowed.

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: 53
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-CiscoSecureEndpointCanBlock

Is true if Cisco Secure Endpoint is allowed to block compromised endpoints. Otherwise false (default).

Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-TrustedEndpointCheckingMobile

Allowed values and default are the same as trusted_endpoint_checking. Duo recommends not setting this value separately from trusted_endpoint_checking. Since the user-agent string is self-reported by the browser, it's possible to manipulate it from the client side to change the value reported to Duo, with the potential effect of bypassing a policy intended to block access.

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: 54
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-RequireMfaCountriesList

List of one or more country codes. If the user's location matches one of the codes, that user is required to use MFA to authenticate.

Type: Array
Parameter Sets: (All)
Aliases:

Required: False
Position: 55
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-DenyAccessCountriesList

List of one or more country codes. If the user's location matches one of the codes, that user is denied access.

Type: Array
Parameter Sets: (All)
Aliases:

Required: False
Position: 56
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-AllowAccessNoMfaCountriesList

List of one or more country codes. If the user's location matches one of the codes, that user is allowed access without 2FA.

Type: Array
Parameter Sets: (All)
Aliases:

Required: False
Position: 57
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-IgnoreLocationCountriesList

List of one or more country codes. If the user's location matches one of the codes, no action is taken.

Type: Array
Parameter Sets: (All)
Aliases:

Required: False
Position: 58
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-DefaultAction

Indicates behavior for country codes that aren't in any list. Values are one of: deny-access: User is denied access. ignore-location (default): No action is taken. require-mfa: User must use MFA to authenticate. allow-access-no-2fa: User is allowed access without 2FA.

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: 59
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-AccountId

Target account id. IF specified, the Credentials parameter must contain the account API credentials and URL.

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: 60
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.

Type: SwitchParameter
Parameter Sets: (All)
Aliases: wi

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-Confirm

Prompts you for confirmation before running the cmdlet.

Type: SwitchParameter
Parameter Sets: (All)
Aliases: cf

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-ProgressAction

{{ Fill ProgressAction Description }}

Type: ActionPreference
Parameter Sets: (All)
Aliases: proga

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

INPUTS

OUTPUTS

NOTES