Conditional Access Policies (CAPs) in Microsoft Entra ID (Azure AD) allow organizations to enforce security measures based on user identity, device state, location, and risk levels. PowerShell provides a powerful way to create, modify, and manage Conditional Access Policies programmatically.
This guide covers:
Connecting to Microsoft Graph PowerShell
Listing existing Conditional Access Policies
Creating a new Conditional Access Policy
Modifying and updating policies
Deleting policies
Automating policy management
Step 1: Prerequisites
1. Install Microsoft Graph PowerShell
Ensure you have the Microsoft Graph PowerShell SDK installed:
Install-Module Microsoft.Graph -Scope CurrentUser -Force
2. Connect to Microsoft Graph
Sign in with Global Administrator or Security Administrator permissions:
Connect-MgGraph -Scopes "Policy.ReadWrite.ConditionalAccess"
If prompted, grant consent for the required permissions.
Now you’re connected!
Step 2: List Existing Conditional Access Policies
To view all configured Conditional Access Policies:
Get-MgConditionalAccessPolicy | Select-Object Id, DisplayName, State
This lists all policies with their IDs and status (Enabled/Disabled).
Step 3: Create a New Conditional Access Policy
The following example requires multi-factor authentication (MFA) for all users except those in the “Break Glass” admin group when accessing Microsoft 365 apps.
$policy = @{
displayName = "Require MFA for Microsoft 365 Apps"
state = "enabled"
conditions = @{
users = @{
includeUsers = @("All") # Apply to all users
excludeGroups = @("BreakGlassAdminGroupID") # Exclude break glass accounts
}
applications = @{
includeApplications = @("Office365") # Apply to Microsoft 365 apps
}
locations = @{
includeLocations = @("All") # Apply to all locations
}
}
grantControls = @{
operator = "OR"
builtInControls = @("Mfa") # Require MFA
}
sessionControls = @{}
}
New-MgConditionalAccessPolicy -BodyParameter $policy
This enforces MFA for all users accessing Microsoft 365 apps except break-glass accounts.
Step 4: Modify an Existing Conditional Access Policy
To modify an existing policy (e.g., adding a new excluded group):
$policyId = "your-policy-id"
$updatedPolicy = @{
conditions = @{
users = @{
includeUsers = @("All")
excludeGroups = @("BreakGlassAdminGroupID", "NewExcludedGroupID") # Add new exclusion
}
}
}
Update-MgConditionalAccessPolicy -ConditionalAccessPolicyId $policyId -BodyParameter $updatedPolicy
This updates the policy to exclude an additional group.
Step 5: Disable or Enable a Conditional Access Policy
To disable a policy:
Update-MgConditionalAccessPolicy -ConditionalAccessPolicyId "your-policy-id" -State "disabled"
To enable a policy:
Update-MgConditionalAccessPolicy -ConditionalAccessPolicyId "your-policy-id" -State "enabled"
Use this to activate/deactivate policies as needed.
Step 6: Delete a Conditional Access Policy
To permanently remove a policy:
Remove-MgConditionalAccessPolicy -ConditionalAccessPolicyId "your-policy-id"
This deletes the specified policy. Be cautious!
Step 7: Automating Conditional Access Policy Management
To automate policy checks, create a script and schedule it in Task Scheduler or Azure Automation.
Example: Export all policies to a CSV file regularly.
$outputFile = "C:\ConditionalAccessPolicies.csv"
$policies = Get-MgConditionalAccessPolicy | Select-Object Id, DisplayName, State
$policies | Export-Csv -Path $outputFile -NoTypeInformation
Write-Host "Conditional Access Policies exported to $outputFile"
Now, security teams can review policies regularly.