TechQA.

Struggling to create a PowerShell script to deploy a conditional access policy to block legacy authentication

144 views Asked by At

This is my 1st post here and I'm really hoping that some one will figure this out with me. As you may have seen in the title of the post, I'm trying to create a PowerShell Script that will deploy a conditionla access policy to block legacy authentication but I coumdn't figure it out. Can someone please look into my caode and tell me why it's not working? it bugs at

$conditions.ClientAppTypes = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessClientApp
$conditions.ClientAppTypes = @(“ExchangeActiveSync”, “Other”)

Main code:

$conditions = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessConditionSet

$conditions.Applications = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessApplicationCondition
$conditions.Applications.IncludeApplications = "All"
$conditions.Applications.ExcludeApplications = @(
    ""
    ""#applications
)
$conditions.Users = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessUserCondition
$conditions.Users.IncludeUsers = "All"
$conditions.Users.ExcludeUsers = @(
    "" #Admin user ID
    "GuestsOrExternalUsers"
    )
$conditions.Users.ExcludeGroups = "" #Admin group ID
$conditions.Users.ExcludeRoles = @(
 #   "" 
  #  ""
   # )

$conditions.Users = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessClientApp
$conditions.ClientAppTypes = @(“ExchangeActiveSync”, “Other”)



$controls = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessGrantControls
$controls._Operator = "OR"
$controls.BuiltInControls = "block"

New-AzureADMSConditionalAccessPolicy -DisplayName "Block Legacy Authentication" -State "Disabled" -Conditions $conditions -GrantControls $controls
powershell security azure-active-directory microsoft-graph-api microsoft-entra-id
Original Q&A
1

There are 1 answers

1
Rukmini On BEST ANSWER

To create block legacy authentication conditional policy, you can make use of below PowerShell script:

Connect-MgGraph -Scopes "Policy.Read.All",  
"Policy.ReadWrite.ConditionalAccess", 
"Application.Read.All"

$conditions = @{ 
Applications = @{   
includeApplications = 'All' 
};
Users = @{ 
includeUsers = 'All' 
};
ClientAppTypes = @( 
'ExchangeActiveSync',
'Other'
);   
}  
  
$grantcontrols = @{ 
BuiltInControls = @('Block'); 
Operator = 'OR' 
}

$name = "Block Legacy Authentication All Apps"  
$state = "Disabled"  
  
New-MgIdentityConditionalAccessPolicy `  
-DisplayName $name  
-State $state   
-Conditions $conditions  
-GrantControls $grantcontrols

enter image description here

Conditional Access policy created successfully:

enter image description here

To enable the policy, modify the line as $state = "Enabled".

Related Questions in POWERSHELL

Related Questions in SECURITY

Related Questions in AZURE-ACTIVE-DIRECTORY

Related Questions in MICROSOFT-GRAPH-API

Related Questions in MICROSOFT-ENTRA-ID

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions