Post

Export & Import Conditional Access policies and configuration using Graph API
Conditional access is the tool to enforce organizational policies. Access to resource is granted using if-then statements. You can for example enforce multi-factor authentication from untrusted networks or block legacy authentication.

Conditional access is the tool to enforce organizational policies. Access to resource is granted using if-then statements. You can for example enforce multi-factor authentication from untrusted networks or block legacy authentication.

Conditional access requires an Azure AD Premium Plan 1 license which is included in most bundles or can be purchased as an add-on. Note that you need to license all users benefitting from these conditional access policies. This includes service accounts where you may want to use conditional access to limit access from specific IP’s.

I’ve created the below baseline policies which I use at my developer tenant to restrict certain access. This post will export the configuration and the commands to import it back to the tenant.

Baseline Conditional Access policies

    • Require multi-factor authentication for users with administrative roles
      • Selected directory roles but excluded a group which has my break the glass accounts
      • All cloud apps
      • Require multi-factor authentication
      • Never persistent browser session
    • Require multi-factor authentication for all users
      • Selected all users but excluded a group which has my break the glass accounts
      • All cloud apps except Microsoft Intune Enrolment
      • Require multi-factor authentication
    • Require multi-factor authentication for guest accounts
      • Selected all guests and external users
      • All cloud apps
    • Blocking sign-ins for users attempting to use legacy authentication protocols
      • All users
      • All cloud apps
      • Client app condition to block Exchange ActiveSync clients and other clients
      • Block access
    • Requiring trusted locations for Azure AD Multi-Factor Authentication registration
      • All users except guests and externals and the break the glass accounts group
      • Register security information
      • All locations except trusted locations
      • Block access

Graph API

I will be using the Graph API for exporting and importing Conditional Access Policies and named locations

Permissions

We will be reading and writing so we need to add application permissions to call the API’s in Azure Active Directory.

Add “Policy.Read.All, Policy.ReadWrite.ConditionalAccess, Agreement.Read.All, Directory.Read.All and Application.Read.All”

image

Note the following information as we will need it for the script

  • Client ID
  • Client Secret
  • Tenant ID
  • Output location

Export Conditional Access policies

The script has been uploaded to O365ExportImport/ExportAndImport/ConditionalAccessPolicies at main · CloudSecuritea/O365ExportImport (github.com) where it can be downloaded, changed and used. Run the following command to start the export:

export-condtionalAccess.ps1 and provide the script with the required parameters

image

The files will be created in the specified location

image

Import Conditional Access policies

We have just exported the conditional access policies and named locations. The JSON files will now be used to import this configuration. Note that running the script will create new policies and you will need to delete old policies if present.

image

The script has been uploaded to O365ExportImport/ExportAndImport/ConditionalAccessPolicies at main · CloudSecuritea/O365ExportImport (github.com) where it can be downloaded, changed and used. Run the following command to start the import:

import-condtionalAccess.ps1 and provide the script with the required parameters

image

image

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Archive