Public/TenantConfiguration/Baseline/Add-ConditionalAccessPolicies.ps1
|
function Add-ConditionalAccessPolicies { param( [Parameter(Mandatory)] [string]$TenantId ) try { Connect-CustomerGraph -CustomerTenantId $TenantId $ConditionalAccessPolicies = Get-MgIdentityConditionalAccessPolicy -All $ConditionalAccessPolicyFiles = Get-ChildItem -Path "$PSScriptRoot\ConditionalAccessPolicies" -Filter *.json foreach($ConditionalAccessPolicyFile in $ConditionalAccessPolicyFiles) { $ConditionalAccessPolicy = Get-Content -Path $ConditionalAccessPolicyFile.FullName | ConvertFrom-Json -Depth 100 if($ConditionalAccessPolicies.displayName -contains $ConditionalAccessPolicy.displayName) { Write-Host "Conditional access policy '$($ConditionalAccessPolicy.displayName)' already exists, not creating.." -ForegroundColor Yellow } else { foreach($Property in $ConditionalAccessPolicy.PSObject.Properties) { if($Property.Value -is [PSCustomObject]) { foreach($NestedProperty in $Property.Value.PSObject.Properties) { switch ($NestedProperty.Name) { "users" { foreach($UsersProperty in $NestedProperty.Value.PSObject.Properties) { if($UsersProperty.Name -eq "excludeGroups" -or $UsersProperty.Name -eq "includeGroups") { foreach($ExcludeGroupsProperty in $UsersProperty.Value) { $Group = Get-MgGroup -Filter "displayName eq '$($ExcludeGroupsProperty)'" | Select-Object -First 1 if($Group) { $Index = [array]::IndexOf($UsersProperty.Value, $ExcludeGroupsProperty) $UsersProperty.Value[$Index] = $Group.Id } else { Write-Host "Group '$($ExcludeGroupsProperty)' not found, creating.." -ForegroundColor Yellow $Group = New-MgGroup -DisplayName $ExcludeGroupsProperty -MailEnabled:$false -MailNickname $ExcludeGroupsProperty -SecurityEnabled:$true $Index = [array]::IndexOf($UsersProperty.Value, $ExcludeGroupsProperty) $UsersProperty.Value[$Index] = $Group.Id } } } if($UsersProperty.Name -eq "includeUsers") { foreach($IncludeUsersProperty in $UsersProperty.Value) { if($IncludeUsersProperty -eq "All") { continue } } } } } "locations" { foreach($LocationsProperty in $NestedProperty.Value.PSObject.Properties) { if($LocationsProperty.Name -eq "excludeLocations" -or $LocationsProperty.Name -eq "includeLocations") { foreach($ExcludeLocationsProperty in $LocationsProperty.Value) { $Location = Get-MgIdentityConditionalAccessNamedLocation -Filter "displayName eq '$($ExcludeLocationsProperty)'" | Select-Object -First 1 if($LocationsProperty.Value -eq "All" -or $LocationsProperty.Value -eq "AllTrusted") { continue } if($Location) { $Index = [array]::IndexOf($LocationsProperty.Value, $ExcludeLocationsProperty) $LocationsProperty.Value[$Index] = $Location.Id } else { throw "Location '$($ExcludeLocationsProperty)' not found. Stopping" } } } } } "authenticationStrength" { foreach($AuthenticationStrengthProperty in $NestedProperty.Value.PSObject.Properties) { if($AuthenticationStrengthProperty.Name -eq "Id") { $AuthenticationStrength = Get-MgPolicyAuthenticationStrengthPolicy -Filter "displayName eq '$($AuthenticationStrengthProperty.Value)'" | Select-Object -First 1 if($AuthenticationStrength) { $AuthenticationStrengthProperty.Value = $AuthenticationStrength.Id } else { throw "Authentication strength '$($AuthenticationStrengthProperty.Value)' not found. Stopping" } } } } Default {} } } } } $ConditionalAccessPolicy = New-MgIdentityConditionalAccessPolicy -BodyParameter ($ConditionalAccessPolicy | Convert-PSObjectToHashtable) Write-Host "Created conditional access policy '$($ConditionalAccessPolicy.displayName)'. Only in reporting mode - enable manually when ready!" -ForegroundColor Green } } } catch { throw "Failed to create conditional access policies: $_" } } |