Deploying Conditional Access Policies via PowerShell
There is a new GitHub repository available from Microsoft: Manage Conditional Access policies like code. Similar to the infamous Intune samples repo from which I and many others have built their automated Intune setup scripts for new tenants, this repo is replete with the resources that you need for accomplishing Conditional Access deployments via PowerShell script or application (Graph).
The Graph option has previously been available to us (in beta), but now it is generally available, and the PowerShell option is brand new. I love having both.
Recently, I blogged about a simpler Conditional Access baseline, designed with the SMB in mind. I have updated this baseline slightly, and made it available via my own GitHub repo. Here is a summary of the policy set:
- BLOCK – Legacy authentication: This policy blocks legacy clients such as IMAP, POP, and EAS.
- GRANT – Require MFA for admins: This policy will require Global admins to perform MFA. I decided to add this to the simple baseline, because very often it takes some extra time/effort to get all of the end-users prepared for MFA, whereas the admin policy can be deployed more quickly since there tend to be fewer. As well, in the SMB we rarely see folks delegating roles outside of Global admin, since there is usually only one or two individuals with the admin job function (and they tend to wear all the hats, so to speak).
- GRANT – Require MFA for all users: This policy does what it says; every user (admin or not) will be required to register for multi-factor and start using it.
- GRANT – Require MAM or MDM for mobile device access: This policy gives the customer a choice. They can either use the approved Microsoft apps such as Outlook and Edge (MAM), or they can enroll using the Company Portal app (for MDM), which would allow them to use the native or “built-in” email and web browser clients for iOS and Android. (UPDATE: This can also be broken into two policies, and you can choose to enforce MAM, MDM, or both!)
- GRANT – Require compliant device for Windows or Mac access: Desktop computers should be fully managed in order to gain access to corporate data. This policy will prevent access from unmanaged devices using client apps such as Outlook and OneDrive, which cache local data on the device. NOTE: You can also modify the policy to add the ‘Browser’ condition if you wanted to block web access from unmanaged computers.
- BLOCK – Unsupported device platforms: Platforms such as ChromeOS, Linux, etc. will be prevented from accessing corporate apps and data. You can also modify this policy to block any other platforms that you do not intend to support (e.g. if you do not want to support MacOS).
To run the script:
- Download it from GitHub
- For a newer tenant, you may have to disable ‘Security defaults‘ first
- Be sure that you have the AzureAD PowerShell module installed (Install-Module AzureAD)
- Connect to Azure AD (Connect-AzureAD); you must authenticate with Global admin, or Conditional Access admin, or Security admin roles
- Run the script!
When the policies show up, they will be disabled by default. This gives you a chance to plan the implementation and notify end users about the expected impacts. For example, legacy authentication will no longer work and they will be required to use MFA. Devices must be enrolled, etc. As well, it will create a security group called “Exclude from CA” and this group will be excluded from every Conditional Access policy. You should populate this security group with at least one emergency access account, and any other accounts which must be excluded from Conditional Access.
And that’s it!