This submit takes you thru Microsoft Azure Energetic Listing Conditional Entry insurance policies utilizing the PowerShell Graph SDK module.
In case you are new to the Graph module, go first and browse the introductory submit on Understanding Microsoft Graph SDK PowerShell
Conditions
You have to have the correct required permission on Azure Energetic Listing, normally a worldwide admin.
Additionally, you might want to obtain PowerShell Module for Graph SDK
Instructions to Use to Learn Conditional Entry.
To entry and browse the Conditional Entry insurance policies, we have to discover the required cmdlet.
Get-Command -Title get*conditionalaccess*
CommandType Title Model Supply
----------- ---- ------- ------
Perform Get-MgDeviceManagementConditionalAccessSetting 1.9.6 Microsoft.Graph.DeviceManagement.Enrolme…
Perform Get-MgDeviceManagementExchangeOnPremisPolicyCondi… 1.9.6 Microsoft.Graph.DeviceManagement.Adminis…
Perform Get-MgIdentityConditionalAccessAuthenticationCont… 1.9.6 Microsoft.Graph.Identification.SignIns
Perform Get-MgIdentityConditionalAccessNamedLocation 1.9.6 Microsoft.Graph.Identification.SignIns
Perform Get-MgIdentityConditionalAccessPolicy 1.9.6 Microsoft.Graph.Identification.SignIns
We’ll want the Get-MgIdentityConditionalAccessPolicy
The following step is defining the required scope to make use of it within the connection.
PS C:> (Discover-MgGraphCommand -Command Get-MgIdentityConditionalAccessPolicy)[0].permissions
Title IsAdmin Description FullDescription
---- ------- ----------- ---------------
Coverage.Learn.All True Learn your group's insurance policies Permits the app to learn your group's insurance policies in your behalf.
The conditional entry insurance policies normally comprise customers, teams and functions too, I’ll embody additionally further scopes as the next
PS C:> $Scope=@('Coverage.Learn.All','Consumer.Learn.All','Group.Learn.All','software.learn.all')
PS C:> Join-MgGraph -Scopes $Scope
Settle for the required permission to attach.
Studying Conditional Entry insurance policies
After a connection, we have to get the conditional entry insurance policies through the use of the Get-MgIdentityConditionalAccessPolicy
PS C:> Get-MgIdentityConditionalAccessPolicy
Id CreatedDateTime Description DisplayName ModifiedDateTime State
-- --------------- ----------- ----------- ---------------- -----
38ee93a3-c921-471e-b4d4-fa0cd452187f 08-Jun-22 5:36:15 AM PolicyA 08-Jun-22 6:43:30 AM enabledForRepor…
To learn this coverage property we will specify the coverage ID like the next
PS C:> Get-MgIdentityConditionalAccessPolicy -ConditionalAccessPolicyId 38ee93a3-c921-471e-b4d4-fa0cd452187f | fl
Circumstances : Microsoft.Graph.PowerShell.Fashions.MicrosoftGraphConditionalAccessConditionSet1
CreatedDateTime : 08-Jun-22 5:36:15 AM
Description :
DisplayName : PolicyA
GrantControls : Microsoft.Graph.PowerShell.Fashions.MicrosoftGraphConditionalAccessGrantControls
Id : 38ee93a3-c921-471e-b4d4-fa0cd452187f
ModifiedDateTime : 08-Jun-22 6:43:30 AM
SessionControls : Microsoft.Graph.PowerShell.Fashions.MicrosoftGraphConditionalAccessSessionControls1
State : enabledForReportingButNotEnforced
AdditionalProperties : {[@odata.context,
https://graph.microsoft.com/v1.0/$metadata#identity/conditionalAccess/policies/$entity]}
The simple half is to get the DisplayName, because it’s listed with no complication.
To get a listing of customers on which the coverage was utilized to make use of the next line.
Many of the essential properties are a part of the Circumstances object which embody
- Functions
- ClientApplications
- ClientAppTypes
- Units
- Places
- PlatformsSignInRiskLevels
- UserRiskLevels
- Customers
Studying Conditional Entry Customers utilizing PowerShell Graph
PS C:> (Get-MgIdentityConditionalAccessPolicy -ConditionalAccessPolicyId 38ee93a3-c921-471e-b4d4-fa0cd452187f).Circumstances.Customers
ExcludeGroups ExcludeRoles ExcludeUsers IncludeGroups IncludeRoles IncludeUsers
------------- ------------ ------------ ------------- ------------ ------------
{} {} {} {d5b88427-5096-4247-a901-45d61faa3c43} {} {7adf1ccb-826f-44c7-b19d-df2899c1e864, 8f891764-4a1e-4074-8bee-71d32c7d…
The IncludedUsers are represented by the consumer GUID, and to get the correct username for this GUID we have to use Get-MGUser
and go the GUID as a parameter.
PS C:> (Get-MgIdentityConditionalAccessPolicy -ConditionalAccessPolicyId 38ee93a3-c921-471e-b4d4-fa0cd452187f).Circumstances.Customers.IncludeUsers | ForEach-Object {Get-MgUser -UserId $_}
Id DisplayName Mail UserPrincipalName UserType
-- ----------- ---- ----------------- --------
7adf1ccb-826f-44c7-b19d-df2899c1e864 UserB UserB@area.onmicrosoft.com
8f891764-4a1e-4074-8bee-71d32c7d37c1 UserC UserC@area.onmicrosoft.com
ab62251f-7466-4e64-ac2f-eee7a45de754 UserA userA@area.onmicrosoft.com
Should you join with out utilizing the Consumer.Learn.All scope, you get the next error
Get-MgApplication_Get1: Inadequate privileges to finish the operation.
Studying Conditional Entry Teams utilizing PowerShell Graph
To get the identify of the teams which might be assigned to conditional entry insurance policies use the next line
PS C:> (Get-MgIdentityConditionalAccessPolicy -ConditionalAccessPolicyId 38ee93a3-c921-471e-b4d4-fa0cd452187f).Circumstances.Customers.IncludeGroups | ForEach-Object {Get-MgGroup -GroupId $_}
Id DisplayName Description GroupTypes
-- ----------- ----------- ----------
d5b88427-5096-4247-a901-45d61faa3c43 Inside Admin {}
Studying Functions utilizing PowerShell Graph
The next line of code reveals the listing of assigned Cloud Functions within the Conditional Entry insurance policies
PS C:> (Get-MgIdentityConditionalAccessPolicy -ConditionalAccessPolicyId 38ee93a3-c921-471e-b4d4-fa0cd452187f).Circumstances.Functions
ExcludeApplications IncludeApplications IncludeAuthenticationContextClassReferences IncludeUserActions
------------------- ------------------- ------------------------------------------- ------------------
{} {a3868bcb-44aa-4341-9d47-cba3fb23f280, Office365} {} {}
As proven within the output, the IncludedApplications embody Office365 and an software offered by the applying id. To seek out this software we use the next cmdlet Get-MgApplication
PS C:Usersrescu> Get-MgApplication -All -Filter "AppId eq 'a3868bcb-44aa-4341-9d47-cba3fb23f280'"
Id DisplayName AppId SignInAudience PublisherDomain
-- ----------- ----- -------------- ---------------
51641d13-32a5-415d-bd82-28a415bde99a webapp a3868bcb-44aa-4341-9d47-cba3fb23f280 AzureADMyOrg area.com
However since we didn’t specify the Utility.Learn.All within the scope we get an
Let’s add the applying to the scope and take a look at once more.
Join-MgGraph -Scopes software.learn.all
Settle for the permission and rerun the road
Run the next line to get the applying identify
PS C:> Get-MgApplication -All -Filter "AppId eq 'a3868bcb-44aa-4341-9d47-cba3fb23f280'"
Id DisplayName AppId SignInAudience PublisherDomain
-- ----------- ----- -------------- ---------------
51641d13-32a5-415d-bd82-28a415bde99a webapp a3868bcb-44aa-4341-9d47-cba3fb23f280 AzureADMyOrg MyTenant.onmicrosoft.com
Learn Consumer Danger, Platforms, Location, and Consumer apps
Use the next command to get the consumer threat ranges
PS C:> (Get-MgIdentityConditionalAccessPolicy -ConditionalAccessPolicyId 38ee93a3-c921-471e-b4d4-fa0cd452187f).Circumstances.UserRiskLevels
excessive
medium
To get the system platforms use the next line
PS C:> (Get-MgIdentityConditionalAccessPolicy -ConditionalAccessPolicyId 38ee93a3-c921-471e-b4d4-fa0cd452187f).Circumstances.Platforms
ExcludePlatforms IncludePlatforms
---------------- ----------------
{} {iOS, windowsPhone}
To get conditional entry location situations use the next line
PS C:> (Get-MgIdentityConditionalAccessPolicy -ConditionalAccessPolicyId 38ee93a3-c921-471e-b4d4-fa0cd452187f).Circumstances.areas
ExcludeLocations IncludeLocations
---------------- ----------------
{} {AllTrusted}
Studying the IncludeLocations solely, use the
PS C:> (Get-MgIdentityConditionalAccessPolicy -ConditionalAccessPolicyId 38ee93a3-c921-471e-b4d4-fa0cd452187f).Circumstances.areas.IncludeLocations
AllTrusted
To get the Situation Entry Consumer software kind which ########
PS C:> (Get-MgIdentityConditionalAccessPolicy -ConditionalAccessPolicyId 38ee93a3-c921-471e-b4d4-fa0cd452187f).Circumstances.ClientAppTypes
exchangeActiveSync
browser
mobileAppsAndDesktopClients
different