This post takes you through Microsoft Azure Active Directory Conditional Access policies using the PowerShell Graph SDK module.
If you are new to the Graph module, go first and read the introductory post on Understanding Microsoft Graph SDK PowerShell
Table of Contents
Prerequisites
You need to have the proper required permission on Azure Active Directory, usually a global admin.
Also, you need to download PowerShell Module for Graph SDK
Commands to Use to Read Conditional Access.
To access and read the Conditional Access policies, we need to find the required cmdlet.
Get-Command -Name get*conditionalaccess*
CommandType Name Version Source
----------- ---- ------- ------
Function Get-MgDeviceManagementConditionalAccessSetting 1.9.6 Microsoft.Graph.DeviceManagement.Enrolme…
Function Get-MgDeviceManagementExchangeOnPremisPolicyCondi… 1.9.6 Microsoft.Graph.DeviceManagement.Adminis…
Function Get-MgIdentityConditionalAccessAuthenticationCont… 1.9.6 Microsoft.Graph.Identity.SignIns
Function Get-MgIdentityConditionalAccessNamedLocation 1.9.6 Microsoft.Graph.Identity.SignIns
Function Get-MgIdentityConditionalAccessPolicy 1.9.6 Microsoft.Graph.Identity.SignInsWe will need the Get-MgIdentityConditionalAccessPolicy
The next step is defining the required scope to use it in the connection.
PS C:\> (Find-MgGraphCommand -Command Get-MgIdentityConditionalAccessPolicy)[0].permissions
Name IsAdmin Description FullDescription
---- ------- ----------- ---------------
Policy.Read.All True Read your organization's policies Allows the app to read your organization's policies on your behalf.
The conditional access policies usually contain users, groups and applications too, I will include also additional scopes as the following
PS C:\> $Scope=@('Policy.Read.All','User.Read.All','Group.Read.All','application.read.all')
PS C:\> Connect-MgGraph -Scopes $ScopeAccept the required permission to connect.
Reading Conditional Access policies
After a connection, we need to get the conditional access policies by using the Get-MgIdentityConditionalAccessPolicy
PS C:\> Get-MgIdentityConditionalAccessPolicy
Id CreatedDateTime Description DisplayName ModifiedDateTime State
-- --------------- ----------- ----------- ---------------- -----
38ee93a3-c921-471e-b4d4-fa0cd452187f 08-Jun-22 5:36:15 AM PolicyA 08-Jun-22 6:43:30 AM enabledForRepor…To read this policy property we can specify the policy ID like the following
PS C:\> Get-MgIdentityConditionalAccessPolicy -ConditionalAccessPolicyId 38ee93a3-c921-471e-b4d4-fa0cd452187f | fl
Conditions : Microsoft.Graph.PowerShell.Models.MicrosoftGraphConditionalAccessConditionSet1
CreatedDateTime : 08-Jun-22 5:36:15 AM
Description :
DisplayName : PolicyA
GrantControls : Microsoft.Graph.PowerShell.Models.MicrosoftGraphConditionalAccessGrantControls
Id : 38ee93a3-c921-471e-b4d4-fa0cd452187f
ModifiedDateTime : 08-Jun-22 6:43:30 AM
SessionControls : Microsoft.Graph.PowerShell.Models.MicrosoftGraphConditionalAccessSessionControls1
State : enabledForReportingButNotEnforced
AdditionalProperties : {[@odata.context,
https://graph.microsoft.com/v1.0/$metadata#identity/conditionalAccess/policies/$entity]}The easy part is to get the DisplayName, as it’s listed with no complication.
To get a list of users on which the policy was applied to use the following line.
Most of the important properties are part of the Conditions object which include
- Applications
- ClientApplications
- ClientAppTypes
- Devices
- Locations
- PlatformsSignInRiskLevels
- UserRiskLevels
- Users
Reading Conditional Access Users using PowerShell Graph
PS C:\> (Get-MgIdentityConditionalAccessPolicy -ConditionalAccessPolicyId 38ee93a3-c921-471e-b4d4-fa0cd452187f).Conditions.Users
ExcludeGroups ExcludeRoles ExcludeUsers IncludeGroups IncludeRoles IncludeUsers
------------- ------------ ------------ ------------- ------------ ------------
{} {} {} {d5b88427-5096-4247-a901-45d61faa3c43} {} {7adf1ccb-826f-44c7-b19d-df2899c1e864, 8f891764-4a1e-4074-8bee-71d32c7d…
The IncludedUsers are represented by the user GUID, and to get the proper username for this GUID we need to use Get-MGUser and pass the GUID as a parameter.
PS C:\> (Get-MgIdentityConditionalAccessPolicy -ConditionalAccessPolicyId 38ee93a3-c921-471e-b4d4-fa0cd452187f).Conditions.Users.IncludeUsers | ForEach-Object {Get-MgUser -UserId $_}
Id DisplayName Mail UserPrincipalName UserType
-- ----------- ---- ----------------- --------
7adf1ccb-826f-44c7-b19d-df2899c1e864 UserB UserB@domain.onmicrosoft.com
8f891764-4a1e-4074-8bee-71d32c7d37c1 UserC UserC@domain.onmicrosoft.com
ab62251f-7466-4e64-ac2f-eee7a45de754 UserA userA@domain.onmicrosoft.com
If you connect without using the User.Read.All scope, you get the following error
Get-MgApplication_Get1: Insufficient privileges to complete the operation.
Reading Conditional Access Groups using PowerShell Graph
To get the name of the groups that are assigned to conditional access policies use the following line
PS C:\> (Get-MgIdentityConditionalAccessPolicy -ConditionalAccessPolicyId 38ee93a3-c921-471e-b4d4-fa0cd452187f).Conditions.Users.IncludeGroups | ForEach-Object {Get-MgGroup -GroupId $_}
Id DisplayName Description GroupTypes
-- ----------- ----------- ----------
d5b88427-5096-4247-a901-45d61faa3c43 Internal Admin {}
Reading Applications using PowerShell Graph
The following line of code shows the list of assigned Cloud Applications in the Conditional Access policies
PS C:\> (Get-MgIdentityConditionalAccessPolicy -ConditionalAccessPolicyId 38ee93a3-c921-471e-b4d4-fa0cd452187f).Conditions.Applications
ExcludeApplications IncludeApplications IncludeAuthenticationContextClassReferences IncludeUserActions
------------------- ------------------- ------------------------------------------- ------------------
{} {a3868bcb-44aa-4341-9d47-cba3fb23f280, Office365} {} {}
As shown in the output, the IncludedApplications include Office365 and an application presented by the application id. To find this application we use the following cmdlet Get-MgApplication
PS C:\Users\rescu> Get-MgApplication -All -Filter "AppId eq 'a3868bcb-44aa-4341-9d47-cba3fb23f280'"
Id DisplayName AppId SignInAudience PublisherDomain
-- ----------- ----- -------------- ---------------
51641d13-32a5-415d-bd82-28a415bde99a webapp a3868bcb-44aa-4341-9d47-cba3fb23f280 AzureADMyOrg domain.com
But since we did not specify the Application.Read.All in the scope we get an
Let’s add the application to the scope and try again.
Connect-MgGraph -Scopes application.read.allAccept the permission and rerun the line
Run the following line to get the application name
PS C:\> Get-MgApplication -All -Filter "AppId eq 'a3868bcb-44aa-4341-9d47-cba3fb23f280'"
Id DisplayName AppId SignInAudience PublisherDomain
-- ----------- ----- -------------- ---------------
51641d13-32a5-415d-bd82-28a415bde99a webapp a3868bcb-44aa-4341-9d47-cba3fb23f280 AzureADMyOrg MyTenant.onmicrosoft.com
Read User Risk, Platforms, Location, and Client apps
Use the following command to get the user risk levels
PS C:\> (Get-MgIdentityConditionalAccessPolicy -ConditionalAccessPolicyId 38ee93a3-c921-471e-b4d4-fa0cd452187f).Conditions.UserRiskLevels
high
mediumTo get the device platforms use the following line
PS C:\> (Get-MgIdentityConditionalAccessPolicy -ConditionalAccessPolicyId 38ee93a3-c921-471e-b4d4-fa0cd452187f).Conditions.Platforms
ExcludePlatforms IncludePlatforms
---------------- ----------------
{} {iOS, windowsPhone}To get conditional access location conditions use the following line
PS C:\> (Get-MgIdentityConditionalAccessPolicy -ConditionalAccessPolicyId 38ee93a3-c921-471e-b4d4-fa0cd452187f).Conditions.locations
ExcludeLocations IncludeLocations
---------------- ----------------
{} {AllTrusted}Reading the IncludeLocations only, use the
PS C:\> (Get-MgIdentityConditionalAccessPolicy -ConditionalAccessPolicyId 38ee93a3-c921-471e-b4d4-fa0cd452187f).Conditions.locations.IncludeLocations
AllTrustedTo get the Condition Access Client application type which ########
PS C:\> (Get-MgIdentityConditionalAccessPolicy -ConditionalAccessPolicyId 38ee93a3-c921-471e-b4d4-fa0cd452187f).Conditions.ClientAppTypes
exchangeActiveSync
browser
mobileAppsAndDesktopClients
other
