For quite a long time, conditional access policy creation has only been available via complicated Graph API calls or azure Active Directory. Though this works well, it is often not ideal when trying to reply to multiple tenants.
As with most repeatable deployment options, PowerShell is the tool of choice. Luckily within the Azure Active Directory Module are methods for either retrieving or creating conditional access policies.
To use the PowerShell commands and create policies, you must be a Global Administrator, Conditional Access Administrator, or Security Administrator. To read the policies, you only need to assign them to the Global Reader or Security Reader.
Step 1: Connect to Azure Active Directory using PowerShell
Install-Module -Name AzureAD -AllowClobber -Force Import-Module -Name AzureAD Connect-AzureAD
To view the definition of all Conditional access policies, you can execute the following command:
The PowerShell commands available for conditional access policy creation and management are:
Step 2: Create the Conditional set object
To create the policy, you first need to define the controls for the policy. Each policy contains the condition and access controls that make up the policy. These are called “Classes” within PowerShell and are available to view when viewing the policy structure within PowerShell. The classes are:
- Conditional Access Conditions Set
- Included Applications
- Excluded Applications
- Included User Actions
- Included Protection Levels
- Conditional Access User Condition
- Include Users
- Exclude Users
- Include Groups
- Exclude Groups
- Include Roles
- Exclude Roles
- Sign In Risk Levels
- Client App Types
- Conditional Access Grant Controls
- Built In Controls
- Custom Authentication Factors
- Session Controls
Creating the set of information required is not easy, as it you need to know the unique ids of the applications or objects you need to use. The most straightforward approach is to use PowerShell to view an existing policy and then check each value used. Once you retrieve the policy, the properties are available by typing the container’s name required for viewing.
$policy = Get-AzureADMSConditionalAccessPolicy ` -PolicyId d3234880-7672-488c-b41f-2121d630804e $policy.Conditions.Applications $policy.GrantControls.BuiltInControls $policy.Conditions.ClientAppTypes
Let’s say we need to create a conditional access policy that blocks legacy authentication. To make this, we first need to create strongly typed objects in PowerShell.
We first create the Conditions container and then populate the applications, users, and client app types. Next, we make the controls container adding in the operator and controls such as granting or blocking access.
$conditions = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessConditionSet $conditions.Applications = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessApplicationCondition $conditions.Applications.IncludeApplications = "All" $conditions.Users = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessUserCondition $conditions.Users.IncludeUsers = "All" $conditions.ClientAppTypes = @('ExchangeActiveSync', 'Other') $controls = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessGrantControls $controls._Operator = "OR" $controls.BuiltInControls = "block"
Step 3: Create the Conditional access policy
To create the policy, we first create the variables for the name, description, and state and then pass in the created object as required.
$name = "C001 - Block Legacy Authentication All Apps" $state = "Disabled" New-AzureADMSConditionalAccessPolicy ` -DisplayName $name ` -State $state ` -Conditions $conditions ` -GrantControls $controls
After saving the policy, it is visible in Azure Active Directory conditional policies and viewable using PowerShell.
As with all things PowerShell, it is relatively easy to create repeatable scripts for conditional access policies. For me, I love using PowerShell to achieve this, as it allows me to create once and execute multiple times in different tenants as I need to.
You must log in to post a comment.