This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 98%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVK%3C/text%3E%3C/svg%3E)
I'm trying to enumerate all conditional access policies via the MS Graph endpoint
[https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies
Unfortunately, this only returns one entry, even though there are more:
PS C:\> $capurl = "https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies"
PS C:\> $capolicies = Invoke-RestMethod -Method Get -UseBasicParsing -Uri "$capURL" -Headers $Headers
PS C:\> $capolicies.value
id : b2068eb2-e213-43a3-8462-14cf15766450
displayName : cap-block-foreign-logins
createdDateTime : 2023-01-23T12:13:55.7574472Z
modifiedDateTime :
state : enabledForReportingButNotEnforced
sessionControls :
conditions : @{userRiskLevels=System.Object[]; signInRiskLevels=System.Object[]; clientAppTypes=System.Object[]; servicePrincipalRiskLevels=System.Object[];
platforms=; devices=; clientApplications=; applications=; users=; locations=}
grantControls : @{operator=OR; builtInControls=System.Object[]; customAuthenticationFactors=System.Object[]; termsOfUse=System.Object[]}
In the portal, I can see the following three policies:
It doesn't matter if I try this with a Global Admin or e.g. Security Reader assigned user...
Even if I filter for the actual displayName of one of the other policies, they are not returned:
PS C:\> $capURL ="https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies?`$filter=displayName eq 'cap-test'"
PS C:\> $capolicies = Invoke-RestMethod -Method Get -UseBasicParsing -Uri "$capURL" -Headers $Headers
PS C:\> $capolicies.value
[ EMPTY RESULT HERE???]
PS C:\> $capURL ="https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies?`$filter=displayName eq 'cap-block-foreign-logins'"
PS C:\> $capolicies = Invoke-RestMethod -Method Get -UseBasicParsing -Uri "$capURL" -Headers $Headers
PS C:\> $capolicies.value
id : b2068eb2-e213-43a3-8462-14cf15766450
displayName : cap-block-foreign-logins
createdDateTime : 2023-01-23T12:13:55.7574472Z
modifiedDateTime :
state : enabledForReportingButNotEnforced
sessionControls :
conditions : @{userRiskLevels=System.Object[]; signInRiskLevels=System.Object[]; clientAppTypes=System.Object[]; servicePrincipalRiskLevels=System.Object[];
platforms=; devices=; clientApplications=; applications=; users=; locations=}
grantControls : @{operator=OR; builtInControls=System.Object[]; customAuthenticationFactors=System.Object[]; termsOfUse=System.Object[]}
I saw that other people already asked the same question but no solution was ever provided... Do I have to open a GitHub issue for this?
An API that connects multiple Microsoft services, enabling data access and automation across platforms
Answer accepted by question author
One possible reason is that your policies are using conditions/actions not currently supported in /v1.0, such as the "Guests or external users" condition. Switching to using the /beta endpoint should cover these.
That was exactly the case, those "missing" CAP were configured with the new "Strong authentication" feature! :-)
The /beta endpoint lists all of them.
Thank you very much for your help!