Conditional Access templates (Preview) and other tips on the side

First, I want to mention Microsoft Entra admin center and the announcement Microsoft made about it.

You should care about it because starting from 2023 new capabilities will be rolled out to Entra.

Also in December Microsoft started redirects when opening inside M365 admin portals. Eventually Entra will be the primary portal for identities and everything around it.

CA templates

CA templates aren’t a new thing, templates where announces to preview back in November 2021

But as Conditional access keep evolving, there will be more and more functionalities coming with it.

Why you should use them?

First, they give a good overview of what kind of policies you can deploy, based on the standards that Microsoft follows and sees in the Zero Trust framework.

Secondly, templates will automatically exclude the user from the policies create.

Yes, the manual creation will also warn about this as the result could be locking yourselves out but it doesn’t enforce it, you can still enable the policy and deal with the consequences if not understanding what happens.

Template categories

There are different categories for those templates and I believe there will more templates coming in the future.

Nice to see this kind of dividing with the different use case templates, it will help you visualize why to use them.

Exporting templates

When you open a template, you can view the settings it has and enable it but you can also export the templates to JSON and modify them. Then you can upload your own templates back to Conditional Access.

Quick tip! If you files seem to be displayed in one line, you can Format the document inside Visual Studio Code quite easily.

Now you can see the full picture and edit the parameters needed, then upload it back to CA.

Modifying the JSON

Once you download that JSON, you have to modify it a bit. Microsoft uses Graph for the creation and it has to comply with the format it understands.

Downloaded version

Will look like this

Modified version

And it should look like this. You will remove the name and ID but also details. Finally you only have the displayname, state and conditions you wish to have.

You can read more here on the formats and queries.

Importing directly from the Portal is a bit broken, it will take most of the conditions but things like Displayname won’t be populated.

So how about …

Importing with Graph

The same file can be used for Graph POST. Just open Graph explorer, Postman or whatever you want to use for the calls.

List the CA policies with GET and the following

Then POST the new policy to Conditional access

And success! Graph does the job and it takes a while once the new policy can be seen inside the Portal itself.

And the name and other parameters are correctly populated, how cool is that!

If you like, you can also use MS Graph PowerShell cmdlets to create them.

Read here Microsoft official documentation on this feature


Conditional access is an essential part of making our environment secure via enforcements. No matter if you use it for Authentication or device enforcements. There are a lot of combinations with allows and blocks that you can use to achieve the best practices of Zero Trust modeling.

Author: Harri Jaakkonen

Leave a Reply

Your email address will not be published. Required fields are marked *