Help CenterConditional Access policies are a critical component of Azure AD security, providing the necessary controls to enforce organizational security requirements. Managing these policies, especially in large environments, can be challenging without the right tools. This article explores a PowerShell script designed to export all Conditional Access policies from Microsoft Graph, providing detailed insights into each setting within those policies.
Script Overview
The script is designed to connect to Microsoft Graph and retrieve all Conditional Access policies configured within an Azure AD tenant. The script then exports these policies, detailing each setting in its own column, making it easier for administrators to analyze and manage their Conditional Access configurations.
Here is the script :
<#.SYNOPSISGet-ConditionalAccessPolicies.ps1.DESCRIPTIONExport all Conditional Access policies from Microsoft Graph, including all settings, with each setting in its own column.#>Import-Module -Name 'Microsoft.Graph'Import-Module -Name 'Microsoft.Graph.Authentication'# Variables$TenantId = "" # Azure AD Tenant ID$ClientId = "" # Application (client) ID$ClientSecret = ""# Convert Client Secret to Secure String$SecureClientSecret = ConvertTo-SecureString $ClientSecret -AsPlainText -Force# Create credential object$Credential = New-Object System.Management.Automation.PSCredential($ClientId, $SecureClientSecret)# Acquire a token$Token = Get-MsalToken -ClientId $ClientId -TenantId $TenantId -ClientSecret $SecureClientSecret -Scopes https://graph.microsoft.com/.default# Convert token to secure string$SecureToken = ConvertTo-SecureString $Token.AccessToken -AsPlainText -Force# Connect to Microsoft GraphConnect-MgGraph -AccessToken $SecureToken# Retrieve all Conditional Access policies$policies = Get-MgIdentityConditionalAccessPolicy -All# Array to store results$results = @()foreach ($policy in $policies) {$result = [PSCustomObject]@{Id = $policy.IdDisplayName = $policy.DisplayNameState = $policy.StateCreatedDateTime = $policy.CreatedDateTimeModifiedDateTime = $policy.ModifiedDateTimeDescription = $policy.Description# Grant ControlsGrantControls_BuiltInControls = $policy.GrantControls.BuiltInControls -join ','GrantControls_CustomControls = $policy.GrantControls.CustomControls -join ','GrantControls_Operator = $policy.GrantControls.Operator# Session ControlsSessionControls_ApplicationEnforcedRestrictions = $policy.SessionControls.ApplicationEnforcedRestrictions.IsEnabledSessionControls_PersistentBrowser = $policy.SessionControls.PersistentBrowser.IsEnabledSessionControls_PersistentBrowserMode = $policy.SessionControls.PersistentBrowser.ModeSessionControls_SignInFrequency = $policy.SessionControls.SignInFrequency.IsEnabledFrequencyInterval = $policy.SessionControls.SignInFrequency.FrequencyInterval# ConditionsIncludedUsers = $policy.Conditions.Users.IncludeUsers -join ','ExcludedUsers = $policy.Conditions.Users.ExcludeUsers -join ','IncludedGroups = $policy.Conditions.Users.IncludeGroups -join ','ExcludedGroups = $policy.Conditions.Users.ExcludeGroups -join ','IncludedRoles = $policy.Conditions.Users.IncludeRoles -join ','ExcludedRoles = $policy.Conditions.Users.ExcludeRoles -join ','IncludePlatforms = $policy.Conditions.Platforms.IncludePlatforms -join ','ExcludePlatforms = $policy.Conditions.Platforms.ExcludePlatforms -join ','IncludeLocations = $policy.Conditions.Locations.IncludeLocations -join ','ExcludeLocations = $policy.Conditions.Locations.ExcludeLocations -join ','IncludeDeviceStates = $policy.Conditions.Devices.IncludeDeviceStates -join ','ExcludeDeviceStates = $policy.Conditions.Devices.ExcludeDeviceStates -join ','DeviceFilterMode = $policy.Conditions.Devices.DeviceFilter.Mode -join ','DeviceFilterRule = $policy.Conditions.Devices.DeviceFilter.Rule -join ','IncludeApplications = $policy.Conditions.Applications.IncludeApplications -join ','ExcludeApplications = $policy.Conditions.Applications.ExcludeApplications -join ','IncludeUserActions = $policy.Conditions.Applications.IncludeUserActions -join ','ClientAppTypes = $policy.Conditions.ClientAppTypes -join ','SignInRiskLevels_IncludeLevels = $policy.Conditions.SignInRiskLevels.IncludeLevels -join ','SignInRiskLevels_ExcludeLevels = $policy.Conditions.SignInRiskLevels.ExcludeLevels -join ','ServicePrincipalRiskLevels_IncludeLevels = $policy.Conditions.ServicePrincipalRiskLevels.IncludeLevels -join ','insiderRiskLevels =$policy.Conditions.InsiderRiskLevelsServicePrincipalRiskLevels_ExcludeLevels = $policy.Conditions.ServicePrincipalRiskLevels.ExcludeLevels -join ','DeviceStates_IncludeDeviceStates = $policy.Conditions.DeviceStates.IncludeDeviceStates -join ','DeviceStates_ExcludeDeviceStates = $policy.Conditions.DeviceStates.ExcludeDeviceStates -join ','}$results += $result}# Convert results to JSON formatWrite-Output "<report>"$results | Out-GridViewWrite-Output "</report>"