You may be aware that next year the Azure Active Directory Graph components will retire. It is an older component that is separate from the core Microsoft Graph. The Azure Active Directory (AzureAD) and Microsoft Online (MSOnline) PowerShell command depend on this. Most of the commands will work for a while; however, the best practice is to migrate any PowerShell scripts that utilize it to the new Microsoft Graph PowerShell commands.

See the notice here: https://azure.microsoft.com/en-us/updates/update-your-apps-to-use-microsoft-graph-before-30-june-2022/

As per my last post, creating Conditional access policies using the Azure Active Directory (AzureAD) PowerShell module needs updating. 

See Create Conditional Access Policies using PowerShell.

How Do We Use the Microsoft Graph PowerShell Commands?

Firstly, we need to install the Microsoft Graph PowerShell module. It is completed by installing and then importing the module using the following commands:

Install-Module Microsoft.Graph
Import-Module Microsoft.Graph

NOTE: If you get errors when importing the module about the profile not containing the commands, you will need to adjust your session and set the profile to “beta.”

NOTE: Ensure you are using PowerShell 7

Select-MgProfile -Name "beta"
Import-Module Microsoft.Graph

Next, you can sign in to the Microsoft Graph and specify the required permission scopes. Sign in with an admin account, then use the “Connect-MgGraph” command followed by the “-Scopes” property, allowing you to consent to the required permissions.

Connect-MgGraph -Scopes `
	"Policy.Read.All", `
	"Policy.ReadWrite.ConditionalAccess", `
	"Application.Read.All"

As part of the connection, you need to consent to the required permissions.

Now we have a connection (thank you for the “Welcome to Microsoft Graph!” message), we can start to create the conditional access policies. To create a new policy, we will use the command “New-MgIdentityConditionalAccessPolicy.” The documentation doesn’t just show up in a web search, so you need to use the following links just in case:

https://docs.microsoft.com/en-us/powershell/microsoftgraph/overview?view=graph-powershell-beta

https://docs.microsoft.com/en-us/powershell/module/microsoft.graph.identity.signins/?view=graph-powershell-beta

https://docs.microsoft.com/en-us/powershell/module/microsoft.graph.identity.signins/new-mgidentityconditionalaccesspolicy?view=graph-powershell-beta

The command requires various parameters similar to the Azure AD PowerShell command. We will first retrieve the conditional access policies already created using the “Get-MgIdentityConditionalAccessPolicy” command to get started.

Get-MgIdentityConditionalAccessPolicy

Once executed all current conditional access policies return with their unique ID, and name.

To retrieve a single policy, we modify the command passing in the unique ID of the conditional access policy.

$policy = Get-MgIdentityConditionalAccessPolicy `
	-ConditionalAccessPolicyId c975fe50-58a4-4730-b1a7-491f294bec9a

Now we an existing policy loaded, we can review all the settings available, by using the following syntax:

$policy.Conditions.Applications
$policy.GrantControls.BuiltInControls
$policy.Conditions.ClientAppTypes

So far, it looks very similar to using the AzureAD PowerShell commands. Let’s say we need to create a conditional access policy that blocks legacy authentication. To make this, we first need to create strongly typed objects in PowerShell. As before we first create the Conditions container and then populate the applications, users, and client app types. Next, we make the controls container adding in the operator and controls such as granting or blocking access.

The difference here is that we don’t create typed objects; we make PowerShell Objects (PSCustomObject). The objects follow the same structure as the AzureAD PowerShell properties, albeit allowing easier creation and management. The structure almost looks like the JSON.

$conditions = @{ `	 
  	Applications = @{ `
		includeApplications = 'All' `
	};`
	Users = @{ `
		includeUsers = 'All' `
	};`
	ClientAppTypes = @( `
		'ExchangeActiveSync', `
		'Other' `
	); `
}

$grantcontrols  = @{ `	 
  	BuiltInControls = @('mfa'); `	 
 	Operator = 'OR' `	 
 }

Once you create the variables, you set the name, description, and state and then pass in the created objects as required.

$name = "C001 - Block Legacy Authentication All Apps (Graph PowerShell)"
$state = "Disabled"

New-MgIdentityConditionalAccessPolicy `
	-DisplayName $name `
	-State $state `
	-Conditions $conditions `
	-GrantControls $grantcontrols

Once executed this will create the Conditional access policy.

You can see that the Microsoft Graph PowerShell commands are as feature-rich, if not more than the current Azure Active Directory (AzureAD) PowerShell commands. The learning curve may be a little more straightforward due to the structure, but it becomes much easier and a lot more powerful once you understand how it works.