AAD Conditional access policy - Set user actions policy

K Roja 51 Reputation points

Hello Team,

Trying to add conditional access policy for MFA. We are able to add all properties except user actions. Please refer the below screenshot-
Need guidance on below highlighted settings using powershell.

Below is the powershell code which we are using-

$passwd = ConvertTo-SecureString 'XXXXXXXXX' -AsPlainText -Force
$pscredential = New-Object System.Management.Automation.PSCredential('XXXXX', $passwd)
$login = Connect-AzAccount -Credential $pscredential -TenantId 'XXXXXXX'

Connect-AzureAD -Credential $pscredential

$conditions = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessConditionSet
$conditions.Applications = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessApplicationCondition
$conditions.Applications.IncludeApplications = "All"

$conditions.Applications.IncludeUserActions = "useraction"

$conditions.Users = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessUserCondition
$conditions.Users.IncludeUsers = "all"
$conditions.Users.ExcludeUsers = "452aa556-ea30-4d97-8200-aa354d7b89af"

$conditions.ClientAppTypes = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessClientApp

$conditions.ClientAppTypes = @(‘other’)

$controls = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessGrantControls
$controls._Operator = "OR"
$controls.BuiltInControls = "mfa"

Message: Security Defaults is enabled in the tenant. You must disable Security defaults before enabling a Conditional Access policy.

New-AzureADMSConditionalAccessPolicy -DisplayName "IGDODC MFA for Device Enrollment1" -State "Enabled" -Conditions $conditions -GrantControls $controls -Debug -Verbose

When we are trying to deploy the above code, cloud apps or actions are set to all clouds. But we need cloud apps or actions to user action.

Please let us know if we have any property to enable user actions.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,774 questions
{count} votes

1 additional answer

Sort by: Most helpful
  1. K Roja 51 Reputation points

    By using this below property, we are able to set user actions
    $conditions.Applications.IncludeUserActions = "urn:user:registerdevice"

    0 comments No comments