Last active
November 2, 2023 22:02
-
-
Save noahpeltier/0cad3fb5b0028bb541c8a393079d7e58 to your computer and use it in GitHub Desktop.
Perform a Conditional Access Policy "What if " on Users
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Pulls out all the relevent data we need from the policy | |
| function Format-CAPDetails { | |
| param( | |
| [Parameter(ValueFromPipeline)] | |
| $ConditionalAccessPolicy | |
| ) | |
| PROCESS { | |
| $UserPolicies = $ConditionalAccessPolicy.Conditions.users | |
| [PScustomObject]@{ | |
| DisplayName = $ConditionalAccessPolicy.DisplayName | |
| IncludeUsers = $UserPolicies.IncludeUsers | % { | |
| if (!($_ -eq "All")) { | |
| Get-MGUser -UserId $_ | |
| } | |
| else { | |
| "All" | |
| } | |
| } | |
| IncludeGroups = $UserPolicies.IncludeGroups | % { | |
| $MGGroup = Get-MgGroup -GroupId $_ -Property Members | select * | |
| [PScustomObject]@{ | |
| DisplayName = $Mggroup.DisplayName | |
| Members = Get-MgGroupMember -GroupID $MGgroup.Id -All | |
| } | |
| } | |
| ExcludeUsers = $UserPolicies.ExcludeUsers | % { Get-MGUser -UserId $_ } | |
| ExcludeGroups = $UserPolicies.ExcludeGroups | % { | |
| $MGGroup = Get-MgGroup -GroupId $_ | |
| [PScustomObject]@{ | |
| DisplayName = $Mggroup.DisplayName | |
| Members = Get-MgGroupMember -GroupID $MGgroup.Id -All | |
| } | |
| } | |
| GrantControls = ($_.GrantControls.CustomAuthenticationFactors, $_.GrantControls.BuiltInControls) | where { $_ } | |
| } | |
| } | |
| } | |
| # Performs the Whatif | |
| function Test-CAUserConditions { | |
| param( | |
| $MGUser, | |
| $Policies | |
| ) | |
| foreach ($User in $MGUser) { | |
| $PoliciesThatApply = ($Policies | | |
| where { | |
| ($User.Id -in $_.IncludeGroups.Members.id -or $User.Id -in $_.IncludeUsers.id -or $_.IncludeUsers -eq "All") -and | |
| ($User.Id -notin $_.ExcludeGroups.Members.id) | |
| }) | |
| $PoliciesThatWillNotApply = ($Policies | | |
| where { | |
| -not ( | |
| ($User.Id -in $_.IncludeGroups.Members.id -or $User.Id -in $_.IncludeUsers.id -or $_.IncludeUsers -eq "All") -and | |
| ($User.Id -notin $_.ExcludeGroups.Members.id) | |
| ) | |
| }) | |
| switch ($PoliciesThatApply.GrantControls) { | |
| "" { $MFAEnforced = $False } | |
| default { $MFAEnforced = $true } | |
| } | |
| [PSCustomObject]@{ | |
| DisplayName = $User.DisplayName | |
| UserPrincipalName = $User.UserPrincipalName | |
| PoliciesThatApply = $PoliciesThatApply.DisplayName -join ", " | |
| PoliciesThatWillNotApply = $PoliciesThatWillNotApply.DisplayName -join ", " | |
| MFAEnforced = $MFAEnforced | |
| } | |
| } | |
| } | |
| #Example | |
| # I've filtered out for some policy info here just in my use case | |
| # You could also just use Get-MgIdentityConditionalAccessPolicy | Format-CAPDetails | |
| $CAPolicies = Get-MgIdentityConditionalAccessPolicy | where {($_.GrantControls.CustomAuthenticationFactors,$_.GrantControls.BuiltInControls) -like "*mfa*" -and $_.state -like "*enabled*"} | Format-CAPDetails | |
| # Probably a better way of doing this :/ | |
| $AllEnabledTenantUsers = Get-Mguser -All -Property AccountEnabled,displayname,mail,UserPrincipalName,Id | select displayname,mail,UserPrincipalName,AccountEnabled,Id | where {$_.accountEnabled} | select displayname,mail,UserPrincipalName,Id | |
| Test-CAUserConditions $AllEnabledTenantUsers -Policies $CAPolicies | Export-CSV $OutFilePath -NoTypeInformation |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment