Export of Conditional Access Policies with Microsoft Graph API

Export Conditional Access Policies with Microsoft Graph API

Conditional Access policies are a critical component of Azure AD security, providing the necessary controls to enforce organizational security requirements. Managing these policies, especially in large environments, can be challenging without the right tools. This article explores a PowerShell script designed to export all Conditional Access policies from Microsoft Graph, providing detailed insights into each setting within those policies.

Script Overview

The script is designed to connect to Microsoft Graph and retrieve all Conditional Access policies configured within an Azure AD tenant. The script then exports these policies, detailing each setting in its own column, making it easier for administrators to analyze and manage their Conditional Access configurations.

Key Features

Feature	Capability	Business Value
Policy Export	Retrieves all Conditional Access policies from Azure AD	Complete visibility into security configurations
Detailed Settings	Exports each policy setting in separate columns	Easy analysis and comparison of policies
Structured Output	Formats data in JSON and GridView	Multiple viewing options for different needs
Comprehensive Coverage	Includes grant controls, session controls, and conditions	Full policy configuration documentation

Script Implementation

<# .SYNOPSIS Get-ConditionalAccessPolicies.ps1

.DESCRIPTION Export all Conditional Access policies from Microsoft Graph, including all settings, with each setting in its own column. #>

Import-Module -Name ‘Microsoft.Graph’ Import-Module -Name ‘Microsoft.Graph.Authentication’

Variables

$TenantId = "" # Azure AD Tenant ID

$ClientId = "" # Application (client) ID

$ClientSecret = ""

Convert Client Secret to Secure String

$SecureClientSecret = ConvertTo-SecureString $ClientSecret -AsPlainText -Force

Create credential object

$Credential = New-Object System.Management.Automation.PSCredential($ClientId, $SecureClientSecret)

Acquire a token

$Token = Get-MsalToken -ClientId $ClientId -TenantId $TenantId -ClientSecret $SecureClientSecret -Scopes https://graph.microsoft.com/.default

Convert token to secure string

$SecureToken = ConvertTo-SecureString $Token.AccessToken -AsPlainText -Force

Connect to Microsoft Graph

Connect-MgGraph -AccessToken $SecureToken

Retrieve all Conditional Access policies

$policies = Get-MgIdentityConditionalAccessPolicy -All

Array to store results

$results = @()

foreach ($policy in $policies) { $result = [PSCustomObject]@{ Id = $policy.Id DisplayName = $policy.DisplayName State = $policy.State CreatedDateTime = $policy.CreatedDateTime ModifiedDateTime = $policy.ModifiedDateTime Description = $policy.Description

Grant Controls

GrantControls_BuiltInControls = $policy.GrantControls.BuiltInControls -join ’,’ GrantControls_CustomControls = $policy.GrantControls.CustomControls -join ’,’ GrantControls_Operator = $policy.GrantControls.Operator

Session Controls

SessionControls_ApplicationEnforcedRestrictions = $policy.SessionControls.ApplicationEnforcedRestrictions.IsEnabled SessionControls_PersistentBrowser = $policy.SessionControls.PersistentBrowser.IsEnabled SessionControls_PersistentBrowserMode = $policy.SessionControls.PersistentBrowser.Mode SessionControls_SignInFrequency = $policy.SessionControls.SignInFrequency.IsEnabled FrequencyInterval = $policy.SessionControls.SignInFrequency.FrequencyInterval

Conditions

IncludedUsers = $policy.Conditions.Users.IncludeUsers -join ’,’ ExcludedUsers = $policy.Conditions.Users.ExcludeUsers -join ’,’ IncludedGroups = $policy.Conditions.Users.IncludeGroups -join ’,’ ExcludedGroups = $policy.Conditions.Users.ExcludeGroups -join ’,’ IncludedRoles = $policy.Conditions.Users.IncludeRoles -join ’,’ ExcludedRoles = $policy.Conditions.Users.ExcludeRoles -join ’,’ IncludePlatforms = $policy.Conditions.Platforms.IncludePlatforms -join ’,’ ExcludePlatforms = $policy.Conditions.Platforms.ExcludePlatforms -join ’,’ IncludeLocations = $policy.Conditions.Locations.IncludeLocations -join ’,’ ExcludeLocations = $policy.Conditions.Locations.ExcludeLocations -join ’,’ IncludeDeviceStates = $policy.Conditions.Devices.IncludeDeviceStates -join ’,’ ExcludeDeviceStates = $policy.Conditions.Devices.ExcludeDeviceStates -join ’,’ DeviceFilterMode = $policy.Conditions.Devices.DeviceFilter.Mode -join ’,’ DeviceFilterRule = $policy.Conditions.Devices.DeviceFilter.Rule -join ’,’ IncludeApplications = $policy.Conditions.Applications.IncludeApplications -join ’,’ ExcludeApplications = $policy.Conditions.Applications.ExcludeApplications -join ’,’ IncludeUserActions = $policy.Conditions.Applications.IncludeUserActions -join ’,’ ClientAppTypes = $policy.Conditions.ClientAppTypes -join ’,’ SignInRiskLevels_IncludeLevels = $policy.Conditions.SignInRiskLevels.IncludeLevels -join ’,’ SignInRiskLevels_ExcludeLevels = $policy.Conditions.SignInRiskLevels.ExcludeLevels -join ’,’ ServicePrincipalRiskLevels_IncludeLevels = $policy.Conditions.ServicePrincipalRiskLevels.IncludeLevels -join ’,’ insiderRiskLevels =$policy.Conditions.InsiderRiskLevels ServicePrincipalRiskLevels_ExcludeLevels = $policy.Conditions.ServicePrincipalRiskLevels.ExcludeLevels -join ’,’

DeviceStates_IncludeDeviceStates = $policy.Conditions.DeviceStates.IncludeDeviceStates -join ’,’ DeviceStates_ExcludeDeviceStates = $policy.Conditions.DeviceStates.ExcludeDeviceStates -join ’,’ }

$results += $result }

Convert results to JSON format

Write-Output "" $results | Out-GridView Write-Output ""

---

## Configuration Requirements

### Prerequisites

| Component | Requirement | Purpose |
|-----------|-------------|---------|
| **Microsoft Graph Modules** | `Microsoft.Graph`, `Microsoft.Graph.Authentication` | API connectivity and authentication |
| **Azure AD App Registration** | Application with appropriate permissions | Secure API access |
| **Tenant Credentials** | Tenant ID, Client ID, Client Secret | Authentication parameters |

### Authentication Setup

**Ideal for:** Azure AD administrators managing Conditional Access policies

**Required Permissions:**
- `Policy.Read.All` - Read Conditional Access policies
- `Policy.Read.ConditionalAccess` - Access policy configurations

---

## Usage Instructions

1. **Configure Authentication Parameters:**
   ```powershell
   $TenantId = "your-tenant-id"
   $ClientId = "your-app-client-id"
   $ClientSecret = "your-client-secret"

Execute the Script:
- Run with appropriate PowerShell permissions
- Review output in GridView for detailed analysis
- Export data for documentation purposes

Conclusion

Key Takeaway: This script provides comprehensive visibility into Conditional Access policy configurations, enabling better security governance and compliance management through detailed policy analysis and documentation.