AAD Conditional access policy - Set user actions policy

K Roja 56 Reputation points
2022-09-26T13:46:46.443+00:00

Hello Team,

Trying to add conditional access policy for MFA. We are able to add all properties except user actions. Please refer the below screenshot-
Need guidance on below highlighted settings using powershell.
244750-image.png

Below is the powershell code which we are using-

CODE
$passwd = ConvertTo-SecureString 'XXXXXXXXX' -AsPlainText -Force
$pscredential = New-Object System.Management.Automation.PSCredential('XXXXX', $passwd)
$login = Connect-AzAccount -Credential $pscredential -TenantId 'XXXXXXX'

Connect-AzureAD -Credential $pscredential

$conditions = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessConditionSet
$conditions.Applications = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessApplicationCondition
$conditions.Applications.IncludeApplications = "All"

$conditions.Applications.IncludeUserActions = "useraction"

$conditions.Users = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessUserCondition
$conditions.Users.IncludeUsers = "all"
$conditions.Users.ExcludeUsers = "452aa556-ea30-4d97-8200-aa354d7b89af"

$conditions.ClientAppTypes = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessClientApp

$conditions.ClientAppTypes = @(‘other’)

$controls = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessGrantControls
$controls._Operator = "OR"
$controls.BuiltInControls = "mfa"

Message: Security Defaults is enabled in the tenant. You must disable Security defaults before enabling a Conditional Access policy.

New-AzureADMSConditionalAccessPolicy -DisplayName "IGDODC MFA for Device Enrollment1" -State "Enabled" -Conditions $conditions -GrantControls $controls -Debug -Verbose

When we are trying to deploy the above code, cloud apps or actions are set to all clouds. But we need cloud apps or actions to user action.

Please let us know if we have any property to enable user actions.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,948 questions
{count} votes

Accepted answer
  1. Sandeep G-MSFT 20,376 Reputation points Microsoft Employee
    2022-10-12T10:24:23.187+00:00

    @K Roja

    As per your previous post you can use below property to set user actions,
    $conditions.Applications.IncludeUserActions = "urn:user:registerdevice"

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. K Roja 56 Reputation points
    2022-10-06T06:43:19.363+00:00

    By using this below property, we are able to set user actions
    $conditions.Applications.IncludeUserActions = "urn:user:registerdevice"

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.