Skip to content
Griffin31 Help Center

Export of Conditional Access Policies with Microsoft Graph API

Conditional Access policies are a critical component of Azure AD security, providing the necessary controls to enforce organizational security requirements. Managing these policies, especially in large environments, can be challenging without the right tools.

Script Overview

Section titled “Script Overview”

The script is designed to connect to Microsoft Graph and retrieve all Conditional Access policies configured within an Azure AD tenant. The script then exports these policies, detailing each setting in its own column, making it easier for administrators to analyze and manage their Conditional Access configurations.

Terminal window
# Connect to Microsoft Graph
Connect-MgGraph -Scopes "Policy.Read.All"


# Get all Conditional Access policies
$policies = Get-MgIdentityConditionalAccessPolicy


# Create an array to hold the policy details
$policyDetails = @()


foreach ($policy in $policies) {
    $detail = [PSCustomObject]@{
        DisplayName              = $policy.DisplayName
        State                    = $policy.State
        CreatedDateTime          = $policy.CreatedDateTime
        ModifiedDateTime         = $policy.ModifiedDateTime
        IncludeUsers             = ($policy.Conditions.Users.IncludeUsers -join ", ")
        ExcludeUsers             = ($policy.Conditions.Users.ExcludeUsers -join ", ")
        IncludeGroups            = ($policy.Conditions.Users.IncludeGroups -join ", ")
        ExcludeGroups            = ($policy.Conditions.Users.ExcludeGroups -join ", ")
        IncludeApplications      = ($policy.Conditions.Applications.IncludeApplications -join ", ")
        ExcludeApplications      = ($policy.Conditions.Applications.ExcludeApplications -join ", ")
        IncludePlatforms         = ($policy.Conditions.Platforms.IncludePlatforms -join ", ")
        ExcludePlatforms         = ($policy.Conditions.Platforms.ExcludePlatforms -join ", ")
        IncludeLocations         = ($policy.Conditions.Locations.IncludeLocations -join ", ")
        ExcludeLocations         = ($policy.Conditions.Locations.ExcludeLocations -join ", ")
        GrantControls            = ($policy.GrantControls.BuiltInControls -join ", ")
        SessionControls          = ($policy.SessionControls | ConvertTo-Json -Compress)
    }
    $policyDetails += $detail
}


# Export to CSV
$policyDetails | Export-Csv -Path "ConditionalAccessPolicies.csv" -NoTypeInformation


Write-Output "Exported $($policyDetails.Count) Conditional Access policies to ConditionalAccessPolicies.csv"


# Disconnect
Disconnect-MgGraph