Latest Posts

Implementing Conditional Access Policies for OneDrive using PnP PowerShell

Posted on by Rishan Solutions

Loading

Conditional Access (CA) policies in Microsoft 365 allow organizations to restrict and secure access to OneDrive based on conditions like user location, device compliance, risk level, and authentication method. These policies enhance security by preventing unauthorized access.

Using PnP PowerShell, you can automate the creation, modification, and management of Conditional Access policies for OneDrive.

Step 1: Install & Update PnP PowerShell

Before implementing policies, ensure PnP PowerShell is installed and updated:

Install-Module -Name PnP.PowerShell -Force -AllowClobber

To update:

Update-Module -Name PnP.PowerShell

Step 2: Connect to Microsoft Graph API

Conditional Access policies are managed via Microsoft Graph, so we need to authenticate:

Connect-PnPOnline -Scopes "Policy.ReadWrite.ConditionalAccess" -Interactive

For app-based authentication:

$tenantId = "your-tenant-id"
$clientId = "your-client-id"
$clientSecret = "your-client-secret"

Connect-PnPOnline -Tenant $tenantId -ClientId $clientId -ClientSecret $clientSecret -Url "https://graph.microsoft.com"

Step 3: Retrieve Existing Conditional Access Policies

To list all existing policies:

Get-PnPConditionalAccessPolicy | Format-Table DisplayName, State, Conditions, GrantControls

To check if a OneDrive-specific policy exists:

Get-PnPConditionalAccessPolicy | Where-Object { $_.Conditions.Applications.IncludeApplications -contains "Office365" }

Step 4: Create a New Conditional Access Policy for OneDrive

This example blocks OneDrive access for users outside trusted locations:

$policy = @{
    displayName = "Block OneDrive Access Outside Trusted Locations"
    state = "enabled"
    conditions = @{
        applications = @{
            includeApplications = @("Office365")
        }
        locations = @{
            includeLocations = @("All")
            excludeLocations = @("TrustedLocations") # Replace with your trusted location ID
        }
    }
    grantControls = @{
        builtInControls = @("Block")
    }
}

New-PnPConditionalAccessPolicy @policy

Step 5: Require Multi-Factor Authentication (MFA) for OneDrive Access

To enforce MFA for OneDrive:

$policy = @{
    displayName = "Require MFA for OneDrive Access"
    state = "enabled"
    conditions = @{
        applications = @{
            includeApplications = @("Office365")
        }
    }
    grantControls = @{
        builtInControls = @("Mfa")
    }
}

New-PnPConditionalAccessPolicy @policy

Step 6: Restrict OneDrive Access to Compliant Devices

To allow access only from compliant devices (Intune-managed):

$policy = @{
    displayName = "Restrict OneDrive Access to Compliant Devices"
    state = "enabled"
    conditions = @{
        applications = @{
            includeApplications = @("Office365")
        }
    }
    grantControls = @{
        builtInControls = @("CompliantDevice")
    }
}

New-PnPConditionalAccessPolicy @policy

Step 7: Block OneDrive Access from High-Risk Sign-ins

To block access when risk level is high:

$policy = @{
    displayName = "Block OneDrive Access for High-Risk Sign-ins"
    state = "enabled"
    conditions = @{
        applications = @{
            includeApplications = @("Office365")
        }
        userRiskLevels = @("high")
    }
    grantControls = @{
        builtInControls = @("Block")
    }
}

New-PnPConditionalAccessPolicy @policy

Step 8: Modify an Existing Conditional Access Policy

To modify a specific policy, get its ID first:

$policyId = (Get-PnPConditionalAccessPolicy | Where-Object { $_.displayName -eq "Require MFA for OneDrive Access" }).id

Now, update the policy to also require a compliant device:

Set-PnPConditionalAccessPolicy -Identity $policyId -GrantControls @{ builtInControls = @("Mfa", "CompliantDevice") }

Step 9: Delete an Existing Conditional Access Policy

To remove a specific policy, get its ID:

$policyId = (Get-PnPConditionalAccessPolicy | Where-Object { $_.displayName -eq "Block OneDrive Access Outside Trusted Locations" }).id

Now, delete the policy:

Remove-PnPConditionalAccessPolicy -Identity $policyId -Confirm:$false

Step 10: Automate Policy Monitoring with Scheduled Tasks

To monitor conditional access policies and get an email report:

$reportPath = "C:\Reports\OneDrive_CA_Policies.csv"
Get-PnPConditionalAccessPolicy | Export-Csv -Path $reportPath -NoTypeInformation

$adminEmail = "admin@yourdomain.com"
$subject = "OneDrive Conditional Access Policies Report"
$body = "Attached is the latest report on OneDrive Conditional Access Policies."

Send-MailMessage -To $adminEmail -From "noreply@yourdomain.com" -Subject $subject -Body $body -Attachments $reportPath -SmtpServer "smtp.office365.com" -UseSsl -Port 587 -Credential (Get-Credential)

Schedule this PowerShell script to run weekly in Task Scheduler.

Leave a Reply

Your email address will not be published. Required fields are marked *