Export/Import your Conditional Access policy baselines for your customers

I have recently come across an amazing new PowerShell module which allows you to export/import your Conditional Access policies. This module is brilliant if your someone like who loves a bit of PowerShell and baselines their configuration so it can be reused for other customers.

Before we continue, I wanted to highlight the author of this module Daniel Chronlund. Make sure you follow his blog and give him a #FF on Twitter.
https://danielchronlund.com
http://twitter.com/danielchronlund

So first of all, lets install the module on your client machine

Install-Module -Name DCToolbox

Once installed, lets see how we use this module by running the following command.

Get-Command -Module DCToolbox

Before running the above commands I suggest running the following command as it provides useful examples.

Get-DCHelp
Copy-DCExample

The below command provides you with 4 options to choice from;

Option NumberOption NameDescription
1Microsoft Graph with PowerShell examplesProvides PowerSell scripting examples
2Manage Conditional Access as codeProvides PowerSell scripting examples
3Activate an Azure AD Privileged Identity Management (PIM) roleProvides PowerSell scripting examples
4General PowerShell script templateCreate PowerShell script

Each of this options copy the required coding to your clipboard which you can then import into something like PowerShell ISE.

Microsoft Graph with PowerShell examples

*** Connect Examples ***

Connect to Microsoft Graph with delegated credentials.

$Parameters = @{
ClientID = ''
ClientSecret = ''
}
$AccessToken = Connect-DCMsGraphAsDelegated @Parameters

Connect to Microsoft Graph with application credentials.

$Parameters = @{
TenantName = 'example.onmicrosoft.com'
ClientID = ''
ClientSecret = ''
}
$AccessToken = Connect-DCMsGraphAsApplication @Parameters

*** Microsoft Graph Query Examples ***

GET data from Microsoft Graph.

$Parameters = @{
AccessToken = $AccessToken
GraphMethod = 'GET'
GraphUri = 'https://graph.microsoft.com/v1.0/users'
}
Invoke-DCMsGraphQuery @Parameters

POST changes to Microsoft Graph.

$Parameters = @{
AccessToken = $AccessToken
GraphMethod = 'POST'
GraphUri = 'https://graph.microsoft.com/v1.0/users'
GraphBody = @"

"@
}
Invoke-DCMsGraphQuery @Parameters

PUT changes to Microsoft Graph.

$Parameters = @{
AccessToken = $AccessToken
GraphMethod = 'PUT'
GraphUri = 'https://graph.microsoft.com/v1.0/users'
GraphBody = @"

"@
}
Invoke-DCMsGraphQuery @Parameters

PATCH changes to Microsoft Graph.

$Parameters = @{
AccessToken = $AccessToken
GraphMethod = 'PATCH'
GraphUri = 'https://graph.microsoft.com/v1.0/users'
GraphBody = @"

"@
}
Invoke-DCMsGraphQuery @Parameters

DELETE data from Microsoft Graph.

$Parameters = @{
AccessToken = $AccessToken
GraphMethod = 'DELETE'
GraphUri = 'https://graph.microsoft.com/v1.0/users'
}
Invoke-DCMsGraphQuery @Parameters
<#
Filter examples:
/users?$filter=startswith(givenName,'J')
/users?$filter=givenName eq 'Test'
>

Learn more about the Graph commands.

help Connect-DCMsGraphAsDelegated -Full
help Connect-DCMsGraphAsApplication -Full
help Invoke-DCMsGraphQuery -Full

Manage Conditional Acces as code


You first need to register a new application in your Azure AD according to this article:
https://danielchronlund.com/2018/11/19/fetch-data-from-microsoft-graph-with-powershell-paging-support/

The following Microsoft Graph API permissions are required for this to work:
Policy.ReadWrite.ConditionalAccess
Policy.Read.All
Directory.Read.All
Agreement.Read.All
Application.Read.All

Also, the user running this (the one who signs in when the authentication pops up) must have the appropriate permissions in Azure AD (Global Admin, Security Admin, Conditional Access Admin, etc).

Export your Conditional Access policies to a JSON file for backup.

$Parameters = @{
ClientID = ''
ClientSecret = ''
FilePath = 'C:\Temp\Conditional Access Backup.json'
}
Export-DCConditionalAccessPolicyDesign @Parameters

Import Conditional Access policies from a JSON file exported by Export-DCConditionalAccessPolicyDesign.

$Parameters = @{
ClientID = ''
ClientSecret = ''
FilePath = 'C:\Temp\Conditional Access Backup.json'
SkipReportOnlyMode = $false
DeleteAllExistingPolicies = $false
}
Import-DCConditionalAccessPolicyDesign @Parameters

Export Conditional Access policy design report to Excel.

$Parameters = @{
ClientID = ''
ClientSecret = ''
}
New-DCConditionalAccessPolicyDesignReport @Parameters

Export Conditional Access Assignment Report to Excel.

$Parameters = @{
ClientID = ''
ClientSecret = ''
IncludeGroupMembers = $false
}
New-DCConditionalAccessAssignmentReport @Parameters

Learn more about the different Conditional Access commands in DCToolbox.

help Export-DCConditionalAccessPolicyDesign -Full
help Import-DCConditionalAccessPolicyDesign -Full
help New-DCConditionalAccessPolicyDesignReport -Full
help New-DCConditionalAccessAssignmentReport -Full

Activate an Azure AD Privileged Identity Management (PIM) role.

Enable-DCAzureADPIMRole

User sign-in will popup and the after signing in, the following will happen:

VERBOSE: Connecting to Azure AD...

*** Activate PIM Role ***

[1] User Account Administrator
[2] Application Administrator
[3] Security Administrator
[0] Exit

Choice: 3
Duration [1 hour(s)]: 1
Reason: Need to do some security work!
VERBOSE: Activating PIM role...
VERBOSE: Security Administrator has been activated until 11/13/2020 11:41:01!

Learn more about Enable-DCAzureADPIMRole.

help Enable-DCAzureADPIMRole -Full

Privileged Identity Management | My roles: https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/ActivationMenuBlade/aadmigratedroles

Privileged Identity Management | Azure AD roles | Overview: https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/ResourceMenuBlade/aadoverview/resourceId//resourceType/tenant/provider/aadroles

General PowerShell script template

<#
    .SYNOPSIS
        A simple script template.

    .DESCRIPTION
        Write a description of what the script does and how to use it.
        
    .PARAMETER Parameter1
        Inputs a string into the script.
            
    .PARAMETER Parameter2
        Inputs an integer into the script.
            
    .PARAMETER Parameter3
        Sets a script switch.

    .INPUTS
        None

    .OUTPUTS
        System.String

    .NOTES
        Version:        1.0
        Author:         Daniel Chronlund
        Creation Date:  2021-01-01

    .EXAMPLE
        Script-Template -Parameter "Text" -Verbose

    .EXAMPLE
        Script-Template -Parameter "Text" -Verbose
#>

# ----- [Initialisations] -----

# Script parameters.
param (
    [parameter(Mandatory = $true)]
    [string]$Parameter1 = "Text",

    [parameter(Mandatory = $true)]
    [int32]$Parameter2 = 1,

    [parameter(Mandatory = $false)]
    [switch]$Parameter3
)

# Set Error Action - Possible choices: Stop, SilentlyContinue
$ErrorActionPreference = "Stop"

# ----- [Declarations] -----

# Variable 1 description.
$Variable1 = ""

# Variable 2 description.
$Variable2 = ""

# ----- [Functions] -----

function function1
{
    <#
        .SYNOPSIS
            A brief description of the function1 function.
        
        .DESCRIPTION
            A detailed description of the function1 function.
        
        .PARAMETER Parameter1
            A description of the Parameter1 parameter.
        
        .EXAMPLE
            function1 -Parameter1 'Value1'
    #>

    param (
        [parameter(Mandatory = $true)]
        [string]$Parameter1
    )

    $Output = $Parameter1

    $Output
}

# ----- [Execution] -----

# Do the following.
function1 -Parameter1 'Test'

# ----- [End] -----

Now you have all knowledge and tools required to backup for Conditional Access Policies for use with other tenants.

Regards
The Author – Blogabout.Cloud

Leave a Reply

Your email address will not be published. Required fields are marked *