Conditional Access templates (Preview) and other tips on the side

First, I want to mention Microsoft Entra admin center and the announcement Microsoft made about it.

New Admin Center Unifies Azure AD with Other Identity and Access Products

Microsoft’s vision for identity goes beyond traditional identity management to give our customers an entire toolset to secure access for everyone and everything in multicloud and multiplatform environments. Earlier this year, we significantly advanced this vision with the launch of Microsoft Entra a…

You should care about it because starting from 2023 new capabilities will be rolled out to Entra.

Also in December Microsoft started redirects when opening https://aad.portal.azure.com/ inside M365 admin portals. Eventually Entra will be the primary portal for identities and everything around it.

Table of Contents

CA templates

CA templates aren’t a new thing, templates where announces to preview back in November 2021

Whats new with conditional access and Microsoft authenticator

Conditional access has some new cool features that will provide extra security for your user logins. In this post I will cover some of them. Will be digging deeper on these as they evolve but for n…

But as Conditional access keep evolving, there will be more and more functionalities coming with it.

Why you should use them?

First, they give a good overview of what kind of policies you can deploy, based on the standards that Microsoft follows and sees in the Zero Trust framework.

Secondly, templates will automatically exclude the user from the policies create.

Yes, the manual creation will also warn about this as the result could be locking yourselves out but it doesn’t enforce it, you can still enable the policy and deal with the consequences if not understanding what happens.

Template categories

There are different categories for those templates and I believe there will more templates coming in the future.

Nice to see this kind of dividing with the different use case templates, it will help you visualize why to use them.

Exporting templates

When you open a template, you can view the settings it has and enable it but you can also export the templates to JSON and modify them. Then you can upload your own templates back to Conditional Access.

Quick tip! If you files seem to be displayed in one line, you can Format the document inside Visual Studio Code quite easily.

Now you can see the full picture and edit the parameters needed, then upload it back to CA.

Modifying the JSON

Once you download that JSON, you have to modify it a bit. Microsoft uses Graph for the creation and it has to comply with the format it understands.

Downloaded version

Will look like this

Modified version

And it should look like this. You will remove the name and ID but also details. Finally you only have the displayname, state and conditions you wish to have.

You can read more here on the formats and queries.

Create conditionalAccessPolicy – Microsoft Graph v1.0

Create a new conditionalAccessPolicy.

Importing directly from the Portal is a bit broken, it will take most of the conditions but things like Displayname won’t be populated.

So how about …

Importing with Graph

The same file can be used for Graph POST. Just open Graph explorer, Postman or whatever you want to use for the calls.

List the CA policies with GET and the following

https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies

1	https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies

Then POST the new policy to Conditional access

And success! Graph does the job and it takes a while once the new policy can be seen inside the Portal itself.

And the name and other parameters are correctly populated, how cool is that!

If you like, you can also use MS Graph PowerShell cmdlets to create them.

Import-Module Microsoft.Graph.Identity.SignIns

$params = @{
	Displayname = "Block legacy authentication - Edited version"
	State = "Enabled"
	Conditions = @{
		UserRiskLevels = @(
		)
		SignInRiskLevels = @(
		)
		ClientAppTypes = @(
			"exchangeActiveSync"
			"other"
		)
		ServicePrincipalRiskLevels = @(
		)
		Platforms = $null
		Locations = $null
		SignInRiskDetections = $null
		Times = $null
		DeviceStates = $null
		Devices = $null
		ClientApplications = $null
		Applications = @{
			IncludeApplications = @(
				"All"
			)
			ExcludeApplications = @(
			)
			IncludeUserActions = @(
			)
			IncludeAuthenticationContextClassReferences = @(
			)
			ApplicationFilter = $null
			NetworkAccess = $null
		}
		Users = @{
			IncludeUsers = @(
				"All"
			)
			ExcludeUsers = @(
				"GUID of the excluded users if needed!"
			)
			IncludeGroups = @(
			)
			ExcludeGroups = @(
			)
			IncludeRoles = @(
			)
			ExcludeRoles = @(
			)
			IncludeGuestsOrExternalUsers = $null
			ExcludeGuestsOrExternalUsers = $null
		}
	}
	GrantControls = @{
		Operator = "OR"
		BuiltInControls = @(
			"block"
		)
		CustomAuthenticationFactors = @(
		)
		TermsOfUse = @(
		)
		"AuthenticationStrength@odata.context" = "https://graph.microsoft.com/beta/$metadata#conditionalAccess/templates('0b2282f9-2862-4178-88b5-d79340b36cb8')/details/grantControls/authenticationStrength/$entity"
		AuthenticationStrength = $null
	}
}

New-MgIdentityConditionalAccessPolicy -BodyParameter $params

Import-Module Microsoft.Graph.Identity.SignIns

$params = @{

Displayname = "Block legacy authentication - Edited version"

State = "Enabled"

Conditions = @{

UserRiskLevels = @(

)

SignInRiskLevels = @(

)

ClientAppTypes = @(

"exchangeActiveSync"

"other"

)

ServicePrincipalRiskLevels = @(

)

Platforms = $null

Locations = $null

SignInRiskDetections = $null

Times = $null

DeviceStates = $null

Devices = $null

ClientApplications = $null

Applications = @{

IncludeApplications = @(

"All"

)

ExcludeApplications = @(

)

IncludeUserActions = @(

)

IncludeAuthenticationContextClassReferences = @(

)

ApplicationFilter = $null

NetworkAccess = $null

}

Users = @{

IncludeUsers = @(

"All"

)

ExcludeUsers = @(

"GUID of the excluded users if needed!"

)

IncludeGroups = @(

)

ExcludeGroups = @(

)

IncludeRoles = @(

)

ExcludeRoles = @(

)

IncludeGuestsOrExternalUsers = $null

ExcludeGuestsOrExternalUsers = $null

}

GrantControls = @{

Operator = "OR"

BuiltInControls = @(

"block"

)

CustomAuthenticationFactors = @(

)

TermsOfUse = @(

)

"AuthenticationStrength@odata.context" = "https://graph.microsoft.com/beta/$metadata#conditionalAccess/templates('0b2282f9-2862-4178-88b5-d79340b36cb8')/details/grantControls/authenticationStrength/$entity"

AuthenticationStrength = $null

}

New-MgIdentityConditionalAccessPolicy -BodyParameter $params

Read here Microsoft official documentation on this feature

Conditional Access templates – Azure Active Directory – Microsoft Entra

Deploy commonly used Conditional Access policies with templates

Closure

Conditional access is an essential part of making our environment secure via enforcements. No matter if you use it for Authentication or device enforcements. There are a lot of combinations with allows and blocks that you can use to achieve the best practices of Zero Trust modeling.

Conditional Access templates (Preview) and other tips on the side

CA templates

Why you should use them?

Template categories