如何使用 Microsoft Graph PowerShell 创建条件访问策略

条件访问策略使管理员能够为我们的租户配置和实施基线安全级别。管理员可能经常需要为不同的租户配置多个标准策略，或者仅使用 PowerShell 以编程方式配置。

在本教程中，我将向您展示如何使用 Microsoft Graph PowerShell 配置条件访问策略。

关于 New-MgIdentityConditionalAccessPolicy cmdlet

New-MgIdentityConditionalAccessPolicy 命令位于 Microsoft.Graph.Identity.SignIns 模块中，用于在 Microsoft Entra 中创建新的条件访问策略。

此 cmdlet 提供的参数有限，这意味着并非每个设置都可以使用自己的参数定义。相反，所有设置都需要在哈希表中定义，然后将其解析为 -BodyParameter 参数。

如果您尚未安装 Microsoft Graph PowerShell 模块，请查看我的有关安装 Microsoft Graph PowerShell 的完整教程：https://ourcloudnetwork.com/how-to-install-the-microsoft-graph-powershell-sdk/

创建新的条件访问策略所需的权限

创建策略所需的主要权限是Policy.ReadWrite.ConditionalAccess API 权限。然而，它并没有完全达到预期的效果……虽然您可以使用此权限来创建新策略，但一旦创建，它就不允许您读取所有策略。

另外两个策略提供额外的访问级别，使您能够读取策略或策略设置，它们是：

• 政策.阅读.全部
• 应用程序读取全部

使用以下命令可以查看 New-MgIdentityConditionalAccessPolicy cmdlet 的权限和设置的完整详细信息：

Find-MgGraphCommand New-MgIdentityConditionalAccessPolicy | fl

您的输出将如下所示：

Command     : New-MgIdentityConditionalAccessPolicy
Module      : Identity.SignIns
APIVersion  : v1.0
Method      : POST
URI         : /identity/conditionalAccess/policies
OutputType  : IMicrosoftGraphConditionalAccessPolicy
Variants    : {Create, CreateExpanded}
Permissions : {Application.Read.All, Policy.Read.All, Policy.ReadWrite.ConditionalAccess}

有关查找与 Microsoft Graph PowerShell 一起使用的权限的更多信息，请在此处查看我的详细教程：https://ourcloudnetwork.com/how-to-find-permissions-for-microsoft-graph-powershell/

New-MgIdentityConditionalAccessPolicy 条件访问策略示例

首先使用必要的权限范围连接到 Microsoft Graph PowerShell，以允许您创建新策略并读取所有策略信息：

Connect-MgGraph -scopes Policy.Read.All, Policy.ReadWrite.ConditionalAccess

然后，您可以使用以下示例代码通过一些基本设置创建名为“MFA for all users”的新策略：

• 定位所有用户
• 定位所有云应用
• 需要 MFA
• 仅启用用于报告

$body = @{
  displayName = "MFA for all users "
  state = "enabledForReportingButNotEnforced"
  conditions = @{
    applications = @{
      includeApplications = @(
        "All"
      )
    }
    users = @{
      includeUsers = @(
        "All"
      )
    }
    clientAppTypes = @(
      "all"
    )
  }
    grantControls = @{
    operator = "AND"
    builtInControls = @(
      "mfa"
    )
  }
}

New-MgIdentityConditionalAccessPolicy -BodyParameter $body

New-MgIdentityConditionalAccessPolicy 的所有设置

您可以将许多不同的设置与条件访问策略一起使用，因此以下代码代表您可以在条件访问参数中定义的所有可用设置：

状况

所有条件都将包含在条件哈希表中：

Conditions = {
    #Conditions here
}

用户

用户条件的所有设置如下：

users = @{
			includeUsers = @(
				"All Users" #use "All user" or define mulitple user IDs
			)
			excludeUsers = @(
				"UserID" #Define the excluded users IDs
			)
			includeGroups = @(
			    "GroupID" #Define the included groups IDs
			)
			excludeGroups = @(
			    "GroupID" #Define the excluded groups IDs
			)
			includeRoles = @(
				"9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3" #Define the role IDs
			)
			excludeRoles = @(
				"b0f54661-2d74-4c50-afa3-1ec803f12efe" #Define the role IDs
			)
            includeGuestsOrExternalUsers = @{
                guestOrExternalUserTypes = "B2bCollaborationGuest,B2bCollaborationMember,B2bDirectConnectUser,InternalGuest,ServiceProvider,OtherExternalUser"
                externalTenants = @{
                    membershipKind = "all"
                } 
            } #Define the enternal and guest user types
            excludeGuestsOrExternalUsers = @{
                guestOrExternalUserTypes = "B2bCollaborationGuest,B2bCollaborationMember,B2bDirectConnectUser,InternalGuest,ServiceProvider,OtherExternalUser"
                externalTenants = @{
                    membershipKind = "all"
                } #Define the enternal and guest user types
            } #Define the enternal and guest user types
		}

目标资源

目标资源条件的所有设置如下：

	applications = @{
			includeApplications = @(
				"All" #Define all applications or the application IDs
			)
			applicationFilter = @{
                mode = "include"
                rule = "CustomSecurityAttribute.DanielWasHere_Test -eq \"Yes\""
            } #Use the web portal to create the rule syntax
			excludeApplications = @(
				"499b84ac-1321-427f-aa17-267ca6975798"
			) #Define applications by the application IDs
			includeUserActions = @(
			    "urn:user:registersecurityinfo"
			    "urn:user:registerdevice"
			) #Define either of both user actions
            includeAuthenticationContextClassReferences = @( 
                "c1"
                "c2"
            ) #Define authentication context by the ID
            globalSecureAccess = @{
                includeTrafficProfiles =  "M365"
            } #Define Global secure access profile by the profile name
		}

平台

平台条件的所有设置如下：

platforms = @{
			includePlatforms = @(
				"all"
				"adroid"
				"iOS"
				"WindowsPhones"
				"Windows"
				"macOS"
				"linux"
			) #Define each platform or all platforms
			excludePlatforms = @(
				"all"
				"adroid"
				"iOS"
				"WindowsPhones"
				"Windows"
				"macOS"
				"linux"
			) #Define each platform or all platforms
		}

地点

位置条件的所有设置如下：

locations = @{
			includeLocations = @(
			    "all"
				"AllTrusted"
				"3d46dbda-8382-466a-856d-eb00cbc6b910" #all compliant network locations
				"Custom network location ID"
			) #Define one of the above options
			excludeLocations = @(
                "AllTrusted"
				"Custom network location ID"
			) #Define one of the above options
		}

用户风险和登录风险

用户风险和登录风险条件的所有设置如下：

signInRiskLevels = @(
	"high"
	"medium"
	"low"
	"none"
) #Select one or all of the above options
UserRiskLevels = @(
	"high"
	"medium"
) #Select one or all of the above options
        signInRiskDetections = $null

客户端应用程序

客户端应用程序条件的所有设置如下：

clientAppTypes = @(
	"browser"
	"mobileAppsAndDesktopClients"
	"exchangeActiveSync"
	"other"
) #Select on or all of the above app types

补助金控制

授权控制的所有设置如下：

grantControls = @{
	operator = "OR" #Select the AND or OR operator
	builtInControls = @(
		"mfa"
		"compliantDevice"
		"domainJoinedDevice"
		"approvedApplication"
		"compliantApplication"
	) #Chose from the above options
	customAuthenticationFactors = @(
	)
	termsOfUse = @(
		"ce580154-086a-40fd-91df-8a60abac81a0"
		"7f29d675-caff-43e1-8a53-1b8516ed2075"
	) #Define ID of the terms of use policy
    authenticationStrength = @{
        id = "db443b3a-6c4e-45f5-aa9a-7819e56d2987"
    } #Define the ID of your authentication stenght (built-in or custom works)
}

会话控制

会话控制的所有设置如下：

sessionControls = @{
	applicationEnforcedRestrictions = $null
	persistentBrowser = @{
        mode = "always" # or "never"
        isEnabled = "true"
    } #Define persistent browser settings
	cloudAppSecurity = @{
		cloudAppSecurityType = "blockDownloads" # or "MonitorOnly"
		isEnabled = $true
	} #Define cloud app security policy
    continuousAccessEvaluation = @{
        mode = "strictLocation"
    } #remove is not needed
    secureSignInSession = @{
        isEnabled = $true
        secureAppSessionMode = "notEnforced"
    } #Define token protection settings
    disableResilienceDefaults = $true
	signInFrequency = @{
		value = 4
		type = "hours"
		isEnabled = $true
	} #Define sign-in frequency settings
    globalSecureAccessFilteringProfile = $null
}

状态

使用以下选项来控制策略的状态：

state = "enabled"
        "disabled"
        "enabledForReportingButNotEnforced"