Create Conditional Access Policies Using Microsoft Graph PowerShell
You may be aware that next year the Azure Active Directory Graph components will retire. It is an older component that is separate from the core Microsoft Graph. The Azure Active Directory (AzureAD) and Microsoft Online (MSOnline) PowerShell command depend on this. Most of the commands will work for a while; however, the best practice is to migrate any PowerShell scripts that utilize it to the new Microsoft Graph PowerShell commands.
See the notice here: https://azure.microsoft.com/en-us/updates/update-your-apps-to-use-microsoft-graph-before-30-june-2022/
As per my last post, creating Conditional access policies using the Azure Active Directory (AzureAD) PowerShell module needs updating.
See Create Conditional Access Policies using PowerShell.
How Do We Use the Microsoft Graph PowerShell Commands?
Firstly, we need to install the Microsoft Graph PowerShell module. It is completed by installing and then importing the module using the following commands:
Install-Module Microsoft.Graph
Import-Module Microsoft.Graph
NOTE: If you get errors when importing the module about the profile not containing the commands, you will need to adjust your session and set the profile to “beta.”
NOTE: Ensure you are using PowerShell 7
Select-MgProfile -Name "beta"
Import-Module Microsoft.Graph
Next, you can sign in to the Microsoft Graph and specify the required permission scopes. Sign in with an admin account, then use the “Connect-MgGraph” command followed by the “-Scopes” property, allowing you to consent to the required permissions.
Connect-MgGraph -Scopes `
"Policy.Read.All", `
"Policy.ReadWrite.ConditionalAccess", `
"Application.Read.All"
As part of the connection, you need to consent to the required permissions.
Now we have a connection (thank you for the “Welcome to Microsoft Graph!” message), we can start to create the conditional access policies. To create a new policy, we will use the command “New-MgIdentityConditionalAccessPolicy.” The documentation doesn’t just show up in a web search, so you need to use the following links just in case:
https://docs.microsoft.com/en-us/powershell/microsoftgraph/overview?view=graph-powershell-beta
The command requires various parameters similar to the Azure AD PowerShell command. We will first retrieve the conditional access policies already created using the “Get-MgIdentityConditionalAccessPolicy” command to get started.
Get-MgIdentityConditionalAccessPolicy
Once executed all current conditional access policies return with their unique ID, and name.
To retrieve a single policy, we modify the command passing in the unique ID of the conditional access policy.
$policy = Get-MgIdentityConditionalAccessPolicy `
-ConditionalAccessPolicyId c975fe50-58a4-4730-b1a7-491f294bec9a
Now we an existing policy loaded, we can review all the settings available, by using the following syntax:
$policy.Conditions.Applications
$policy.GrantControls.BuiltInControls
$policy.Conditions.ClientAppTypes
So far, it looks very similar to using the AzureAD PowerShell commands. Let’s say we need to create a conditional access policy that blocks legacy authentication. To make this, we first need to create strongly typed objects in PowerShell. As before we first create the Conditions container and then populate the applications, users, and client app types. Next, we make the controls container adding in the operator and controls such as granting or blocking access.
The difference here is that we don’t create typed objects; we make PowerShell Objects (PSCustomObject). The objects follow the same structure as the AzureAD PowerShell properties, albeit allowing easier creation and management. The structure almost looks like the JSON.
$conditions = @{ `
Applications = @{ `
includeApplications = 'All' `
};`
Users = @{ `
includeUsers = 'All' `
};`
ClientAppTypes = @( `
'ExchangeActiveSync', `
'Other' `
); `
}
$grantcontrols = @{ `
BuiltInControls = @('mfa'); `
Operator = 'OR' `
}
Once you create the variables, you set the name, description, and state and then pass in the created objects as required.
$name = "C001 - Block Legacy Authentication All Apps (Graph PowerShell)"
$state = "Disabled"
New-MgIdentityConditionalAccessPolicy `
-DisplayName $name `
-State $state `
-Conditions $conditions `
-GrantControls $grantcontrols
Once executed this will create the Conditional access policy.
You can see that the Microsoft Graph PowerShell commands are as feature-rich, if not more than the current Azure Active Directory (AzureAD) PowerShell commands. The learning curve may be a little more straightforward due to the structure, but it becomes much easier and a lot more powerful once you understand how it works.
Liam Cleary
Liam began his career as a computer trainer. He quickly realized that programming, breaking and hacking were much more fun. Liam spent the next few years working within core infrastructure and security services. He is now the founder and owner of SharePlicity, a consulting company focusing on Microsoft 365 and Azure technology. His role within SharePlicity is to help organizations implement Microsoft 365 and Azure technology to enhance internal and external collaboration, document, and records management, automate business processes, and implement security controls and protection. He is a long-time Microsoft MVP and Microsoft Certified Trainer, focusing on architecture, security and crossing the boundary into software development. Over the past few years, his specialty has been security in Microsoft 365, Azure and its surrounding platforms. Liam also creates online training courses for Pluralsight, LinkedIn Learning and Cloud Academy, and he teaches multiple Microsoft certification courses for Opsgility and Microsoft. You can find him at user groups and conferences, teaching classes, offering advice, spending time in the community, teaching his kids how to code, raspberry PI programming, hacking the planet, building Lego robots, or coaching soccer. You may also find him running races in the dark, hiking, or mountain biking at breakneck speeds.