Export of Conditional Access Policies with Microsoft Graph API
Conditional Access policies are a critical component of Azure AD security, providing the necessary controls to enforce organizational security requirements. Managing these policies, especially in large environments, can be challenging without the right tools. This article explores a PowerShell script designed to export all Conditional Access policies from Microsoft Graph, providing detailed insights into each setting within those policies.
SCRIPT OVERVIEW
The script is designed to connect to Microsoft Graph and retrieve all Conditional Access policies configured within an Azure AD tenant. The script then exports these policies, detailing each setting in its own column, making it easier for administrators to analyze and manage their Conditional Access configurations.
Here is the script :
<# .SYNOPSIS Get-ConditionalAccessPolicies.ps1
.DESCRIPTION Export all Conditional Access policies from Microsoft Graph, including all settings, with each setting in its own column. #> Import-Module -Name ‘Microsoft.Graph’ Import-Module -Name ‘Microsoft.Graph.Authentication’
Variables
Section titled “Variables”$TenantId = "" # Azure AD Tenant ID $ClientId = "" # Application (client) ID $ClientSecret = ""
Convert Client Secret to Secure String
Section titled “Convert Client Secret to Secure String”$SecureClientSecret = ConvertTo-SecureString $ClientSecret -AsPlainText -Force
Create credential object
Section titled “Create credential object”$Credential = New-Object System.Management.Automation.PSCredential($ClientId, $SecureClientSecret)
Acquire a token
Section titled “Acquire a token”$Token = Get-MsalToken -ClientId $ClientId -TenantId $TenantId -ClientSecret $SecureClientSecret -Scopes https://graph.microsoft.com/.default
Convert token to secure string
Section titled “Convert token to secure string”$SecureToken = ConvertTo-SecureString $Token.AccessToken -AsPlainText -Force
Connect to Microsoft Graph
Section titled “Connect to Microsoft Graph”Connect-MgGraph -AccessToken $SecureToken
Retrieve all Conditional Access policies
Section titled “Retrieve all Conditional Access policies”$policies = Get-MgIdentityConditionalAccessPolicy -All
Array to store results
Section titled “Array to store results”$results = @()
foreach ($policy in $policies) { $result = [PSCustomObject]@{ Id = $policy.Id DisplayName = $policy.DisplayName State = $policy.State CreatedDateTime = $policy.CreatedDateTime ModifiedDateTime = $policy.ModifiedDateTime Description = $policy.Description
Grant Controls
Section titled “Grant Controls”GrantControls_BuiltInControls = $policy.GrantControls.BuiltInControls -join ’,’ GrantControls_CustomControls = $policy.GrantControls.CustomControls -join ’,’ GrantControls_Operator = $policy.GrantControls.Operator
Session Controls
Section titled “Session Controls”SessionControls_ApplicationEnforcedRestrictions = $policy.SessionControls.ApplicationEnforcedRestrictions.IsEnabled SessionControls_PersistentBrowser = $policy.SessionControls.PersistentBrowser.IsEnabled SessionControls_PersistentBrowserMode = $policy.SessionControls.PersistentBrowser.Mode SessionControls_SignInFrequency = $policy.SessionControls.SignInFrequency.IsEnabled FrequencyInterval = $policy.SessionControls.SignInFrequency.FrequencyInterval
Conditions
Section titled “Conditions”IncludedUsers = $policy.Conditions.Users.IncludeUsers -join ’,’ ExcludedUsers = $policy.Conditions.Users.ExcludeUsers -join ’,’ IncludedGroups = $policy.Conditions.Users.IncludeGroups -join ’,’ ExcludedGroups = $policy.Conditions.Users.ExcludeGroups -join ’,’ IncludedRoles = $policy.Conditions.Users.IncludeRoles -join ’,’ ExcludedRoles = $policy.Conditions.Users.ExcludeRoles -join ’,’ IncludePlatforms = $policy.Conditions.Platforms.IncludePlatforms -join ’,’ ExcludePlatforms = $policy.Conditions.Platforms.ExcludePlatforms -join ’,’ IncludeLocations = $policy.Conditions.Locations.IncludeLocations -join ’,’ ExcludeLocations = $policy.Conditions.Locations.ExcludeLocations -join ’,’ IncludeDeviceStates = $policy.Conditions.Devices.IncludeDeviceStates -join ’,’ ExcludeDeviceStates = $policy.Conditions.Devices.ExcludeDeviceStates -join ’,’ DeviceFilterMode = $policy.Conditions.Devices.DeviceFilter.Mode -join ’,’ DeviceFilterRule = $policy.Conditions.Devices.DeviceFilter.Rule -join ’,’ IncludeApplications = $policy.Conditions.Applications.IncludeApplications -join ’,’ ExcludeApplications = $policy.Conditions.Applications.ExcludeApplications -join ’,’ IncludeUserActions = $policy.Conditions.Applications.IncludeUserActions -join ’,’ ClientAppTypes = $policy.Conditions.ClientAppTypes -join ’,’ SignInRiskLevels_IncludeLevels = $policy.Conditions.SignInRiskLevels.IncludeLevels -join ’,’ SignInRiskLevels_ExcludeLevels = $policy.Conditions.SignInRiskLevels.ExcludeLevels -join ’,’ ServicePrincipalRiskLevels_IncludeLevels = $policy.Conditions.ServicePrincipalRiskLevels.IncludeLevels -join ’,’ insiderRiskLevels =$policy.Conditions.InsiderRiskLevels ServicePrincipalRiskLevels_ExcludeLevels = $policy.Conditions.ServicePrincipalRiskLevels.ExcludeLevels -join ’,’ DeviceStates_IncludeDeviceStates = $policy.Conditions.DeviceStates.IncludeDeviceStates -join ’,’ DeviceStates_ExcludeDeviceStates = $policy.Conditions.DeviceStates.ExcludeDeviceStates -join ’,’ }
$results += $result }
Convert results to JSON format
Section titled “Convert results to JSON format”Write-Output "