Страница:
AADConditionalAccessPolicy
Страницы
AADApplication
AADConditionalAccessPolicy
AADGroup
AADGroupLifecyclePolicy
AADGroupsNamingPolicy
AADGroupsSettings
AADMSGroup
AADMSGroupLifecyclePolicy
AADNamedLocationPolicy
AADPolicy
AADRoleDefinition
AADServicePrincipal
AADTenantDetails
AADTokenLifetimePolicy
Assessing
Automating
Breaking Changes Policy
Contribute to Microsoft365dsc.com
Develop a New Resource
EXOAcceptedDomain
EXOActiveSyncDeviceAccessRule
EXOAddressBookPolicy
EXOAddressList
EXOAntiPhishPolicy
EXOAntiPhishRule
EXOApplicationAccessPolicy
EXOAtpPolicyForO365
EXOAvailabilityAddressSpace
EXOAvailabilityConfig
EXOCASMailboxPlan
EXOClientAccessRule
EXODkimSigningConfig
EXOEmailAddressPolicy
EXOGlobalAddressList
EXOHostedConnectionFilterPolicy
EXOHostedContentFilterPolicy
EXOHostedContentFilterRule
EXOHostedOutboundSpamFilterPolicy
EXOHostedOutboundSpamFilterRule
EXOInboundConnector
EXOIntraOrganizationConnector
EXOJournalRule
EXOMailTips
EXOMailboxSettings
EXOMalwareFilterPolicy
EXOMalwareFilterRule
EXOManagementRole
EXOMobileDeviceMailboxPolicy
EXOOfflineAddressBook
EXOOnPremisesOrganization
EXOOrganizationConfig
EXOOrganizationRelationship
EXOOutboundConnector
EXOOwaMailboxPolicy
EXOPartnerApplication
EXOPolicyTipConfig
EXORemoteDomain
EXORoleAssignmentPolicy
EXOSafeAttachmentPolicy
EXOSafeAttachmentRule
EXOSafeLinksPolicy
EXOSafeLinksRule
EXOSharedMailbox
EXOSharingPolicy
EXOTransportRule
Exporting
Getting Started
Home
How to Create a M365DSC Blueprint
IntuneAppConfigurationPolicy
IntuneAppProtectionPolicyiOS
IntuneDeviceCategory
IntuneDeviceCompliancePolicyAndroid
IntuneDeviceCompliancePolicyAndroidWorkProfile
IntuneDeviceCompliancePolicyMacOS
IntuneDeviceCompliancePolicyWindows10
IntuneDeviceCompliancePolicyiOs
IntuneDeviceConfigurationPolicyAndroidWorkProfile
IntuneDeviceConfigurationPolicyWindows
IntuneDeviceConfigurationPolicyWindows10
IntuneDeviceConfigurationPolicyiOS
IntuneDeviceEnrollmentLimitRestriction
IntuneDeviceEnrollmentPlatformRestriction
Known Issues
Monitoring
O365AdminAuditLogConfig
O365Group
O365OrgCustomizationSetting
O365User
ODSP Permissions
ODSettings
PPPowerAppsEnvironment
PPTenantSettings
Permissions
PlannerBucket
PlannerPlan
PlannerTask
Reporting
Resources List
SCAuditConfigurationPolicy
SCCaseHoldPolicy
SCCaseHoldRule
SCComplianceCase
SCComplianceSearch
SCComplianceSearchAction
SCComplianceTag
SCDLPCompliancePolicy
SCDLPComplianceRule
SCDeviceConditionalAccessPolicy
SCDeviceConfigurationPolicy
SCFilePlanPropertyAuthority
SCFilePlanPropertyCategory
SCFilePlanPropertyCitation
SCFilePlanPropertyDepartment
SCFilePlanPropertyReferenceId
SCFilePlanPropertySubCategory
SCLabelPolicy
SCRetentionCompliancePolicy
SCRetentionComplianceRule
SCRetentionEventType
SCSensitivityLabel
SCSupervisoryReviewPolicy
SCSupervisoryReviewRule
SPOAccessControlSettings
SPOApp
SPOBrowserIdleSignout
SPOHomeSite
SPOHubSite
SPOOrgAssetsLibrary
SPOPropertyBag
SPOSearchManagedProperty
SPOSearchResultSource
SPOSharingSettings
SPOSite
SPOSiteAuditSettings
SPOSiteDesign
SPOSiteDesignRights
SPOSiteGroup
SPOSiteScript
SPOStorageEntity
SPOTenantCDNPolicy
SPOTenantCdnEnabled
SPOTenantSettings
SPOTheme
SPOUserProfileProperty
Setting up your Environment to Contribute to the Project
TeamsCallingPolicy
TeamsChannel
TeamsChannelTab
TeamsChannelsPolicy
TeamsClientConfiguration
TeamsEmergencyCallRoutingPolicy
TeamsEmergencyCallingPolicy
TeamsGuestCallingConfiguration
TeamsGuestMeetingConfiguration
TeamsGuestMessagingConfiguration
TeamsMeetingBroadcastConfiguration
TeamsMeetingBroadcastPolicy
TeamsMeetingConfiguration
TeamsMeetingPolicy
TeamsMessagingPolicy
TeamsPstnUsage
TeamsTeam
TeamsTenantDialPlan
TeamsUpgradeConfiguration
TeamsUpgradePolicy
TeamsUser
TeamsVoiceRoute
TeamsVoiceRoutingPolicy
Troubleshooting
What is Microsoft365DSC
6
AADConditionalAccessPolicy
Nik Charlebois редактировал(а) эту страницу 2021-10-06 06:17:59 -04:00
# AADConditionalAccessPolicy
Parameters
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| DisplayName | Key | String | DisplayName of the AAD CA Policy | |
| Id | Write | String | Specifies the GUID for the Policy. | |
| State | Write | String | Specifies the State of the Policy. | disabled, enabled, enabledForReportingButNotEnforced |
| IncludeApplications | Write | StringArray[] | Cloud Apps in scope of the Policy. | |
| ExcludeApplications | Write | StringArray[] | Cloud Apps out of scope of the Policy. | |
| IncludeUserActions | Write | StringArray[] | User Actions in scope of the Policy. | |
| IncludeUsers | Write | StringArray[] | Users in scope of the Policy. | |
| ExcludeUsers | Write | StringArray[] | Users out of scope of the Policy. | |
| IncludeGroups | Write | StringArray[] | Groups in scope of the Policy. | |
| ExcludeGroups | Write | StringArray[] | Groups out of scope of the Policy. | |
| IncludeRoles | Write | StringArray[] | AAD Admin Roles in scope of the Policy. | |
| ExcludeRoles | Write | StringArray[] | AAD Admin Roles out of scope of the Policy. | |
| IncludePlatforms | Write | StringArray[] | Client Device Platforms in scope of the Policy. | |
| ExcludePlatforms | Write | StringArray[] | Client Device Platforms out of scope of the Policy. | |
| IncludeLocations | Write | StringArray[] | AAD Named Locations in scope of the Policy. | |
| ExcludeLocations | Write | StringArray[] | AAD Named Locations out of scope of the Policy. | |
| IncludeDevices | Write | StringArray[] | Client Device Compliance states in scope of the Policy. | |
| ExcludeDevices | Write | StringArray[] | Client Device Compliance states out of scope of the Policy. | |
| UserRiskLevels | Write | StringArray[] | AAD Identity Protection User Risk Levels in scope of the Policy. | |
| SignInRiskLevels | Write | StringArray[] | AAD Identity Protection Sign-in Risk Levels in scope of the Policy. | |
| ClientAppTypes | Write | StringArray[] | Client App types in scope of the Policy. | |
| GrantControlOperator | Write | String | Operator to be used for Grant Controls. | AND, OR |
| BuiltInControls | Write | StringArray[] | List of built-in Grant Controls to be applied by the Policy. | |
| ApplicationEnforcedRestrictionsIsEnabled | Write | Boolean | Specifies, whether Application Enforced Restrictions are enabled in the Policy. | |
| CloudAppSecurityIsEnabled | Write | Boolean | Specifies, whether Cloud App Security is enforced by the Policy. | |
| CloudAppSecurityType | Write | String | Specifies, what Cloud App Security control is enforced by the Policy. | |
| SignInFrequencyValue | Write | UInt32 | Sign in frequency time in the given unit to be enforced by the policy. | |
| SignInFrequencyType | Write | String | Sign in frequency unit (days/hours) to be interpreted by the policy. | Days, Hours, |
| SignInFrequencyIsEnabled | Write | Boolean | Specifies, whether sign-in frequency is enforced by the Policy. | |
| PersistentBrowserIsEnabled | Write | Boolean | Specifies, whether Browser Persistence is controlled by the Policy. | |
| PersistentBrowserMode | Write | String | Specifies, what Browser Persistence control is enforced by the Policy. | Always, Never, |
| Ensure | Write | String | Specify if the Azure AD CA Policy should exist or not. | Present, Absent |
| Credential | Write | PSCredential | Credentials for the Microsoft Graph delegated permissions. | |
| ApplicationId | Write | String | Id of the Azure Active Directory application to authenticate with. | |
| TenantId | Write | String | Id of the Azure Active Directory tenant used for authentication. | |
| ApplicationSecret | Write | String | Secret of the Azure Active Directory application to authenticate with. | |
| CertificateThumbprint | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. |
AADConditionalAccessPolicy
Description
This resource configures an Azure Active Directory Conditional Access Policy.
Azure AD Permissions
To authenticate via Azure Active Directory, this resource required the following Application permissions:
-
Automate
- Application.Read.All
- Group.Read.All
- Directory.Read.All
- Policy.Read.All
- Policy.Read.ConditionalAccess
- Policy.ReadWrite.ConditionalAccess
- RoleManagement.Read.All
- RoleManagement.Read.Directory
- User.Read.All
-
Export
- Application.Read.All
- Group.Read.All
- Directory.Read.All
- Policy.Read.All
- Policy.Read.ConditionalAccess
- RoleManagement.Read.All
- RoleManagement.Read.Directory
- User.Read.All
NOTE: All permisions listed above require admin consent.
Additionally Global Reader Role needs to be assigned, as long as AAD PowerShell is not fully converged to use GRAPH API
Examples
Example 1
This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline.
Configuration Example
{
param(
[Parameter(Mandatory = $true)]
[PSCredential]
$credsGlobalAdmin
)
Import-DscResource -ModuleName Microsoft365DSC
node localhost
{
AADConditionalAccessPolicy Allin-example
{
Credential = $credsGlobalAdmin;
BuiltInControls = @("Mfa", "CompliantDevice", "DomainJoinedDevice", "ApprovedApplication", "CompliantApplication");
ClientAppTypes = @("ExchangeActiveSync", "Browser", "MobileAppsAndDesktopClients", "Other");
CloudAppSecurityIsEnabled = $True;
CloudAppSecurityType = "MonitorOnly";
DisplayName = "Allin-example";
Ensure = "Present";
ExcludeApplications = @("803ee9ca-3f7f-4824-bd6e-0b99d720c35c", "00000012-0000-0000-c000-000000000000", "00000007-0000-0000-c000-000000000000", "Office365");
ExcludeDevices = @("Compliant", "DomainJoined");
ExcludeGroups = @();
ExcludeLocations = @("Blocked Countries");
ExcludePlatforms = @("Windows", "WindowsPhone", "MacOS");
ExcludeRoles = @("Company Administrator", "Application Administrator", "Application Developer", "Cloud Application Administrator", "Cloud Device Administrator");
ExcludeUsers = @("admin@contoso.com", "AAdmin@contoso.com", "CAAdmin@contoso.com", "AllanD@contoso.com", "AlexW@contoso.com", "GuestsOrExternalUsers");
GrantControlOperator = "OR";
IncludeApplications = @("All");
IncludeDevices = @("All");
IncludeGroups = @();
IncludeLocations = @("AllTrusted");
IncludePlatforms = @("Android", "IOS");
IncludeRoles = @("Compliance Administrator");
IncludeUserActions = @();
IncludeUsers = @("Alexw@contoso.com");
PersistentBrowserIsEnabled = $false;
PersistentBrowserMode = "";
SignInFrequencyIsEnabled = $True;
SignInFrequencyType = "Hours";
SignInFrequencyValue = 5;
SignInRiskLevels = @("High", "Medium");
State = "disabled";
UserRiskLevels = @("High", "Medium");
}
}
}
