How to get all details of conditional access policy

Mani 376 Reputation points
2025-01-21T19:48:19.3933333+00:00

Hello All,

Please suggest is there a way to get all conditions of a Conditional access policy

I tried Get-AzureADMSConditionalAccessPolicy | FL

Id :

DisplayName : MFA_Policy (O365)

State : disabled

Conditions : class ConditionalAccessConditionSet {

              *Applications: class ConditionalAccessApplicationCondition {*

              *IncludeApplications: System.Collections.Generic.List`1[System.String]*

              *ExcludeApplications: System.Collections.Generic.List`1[System.String]*

              *IncludeUserActions: System.Collections.Generic.List`1[System.String]*

              *IncludeProtectionLevels:*

            *}*

              *Users: class ConditionalAccessUserCondition {*

              *IncludeUsers: System.Collections.Generic.List`1[System.String]*

              *ExcludeUsers: System.Collections.Generic.List`1[System.String]*

              *IncludeGroups: System.Collections.Generic.List`1[System.String]*

              *ExcludeGroups: System.Collections.Generic.List`1[System.String]*

              *IncludeRoles: System.Collections.Generic.List`1[System.String]*

              *ExcludeRoles: System.Collections.Generic.List`1[System.String]*

            *}*

              *Platforms: class ConditionalAccessPlatformCondition {*

              *IncludePlatforms: System.Collections.Generic.List`1[Microsoft.Open.MSGraph.Model.ConditionalAccessDevicePlatforms]*

              *ExcludePlatforms: System.Collections.Generic.List`1[Microsoft.Open.MSGraph.Model.ConditionalAccessDevicePlatforms]*

            *}*

              *Locations: class ConditionalAccessLocationCondition {*

              *IncludeLocations: System.Collections.Generic.List`1[System.String]*

              *ExcludeLocations: System.Collections.Generic.List`1[System.String]*

            *}*

              *SignInRiskLevels: System.Collections.Generic.List`1[Microsoft.Open.MSGraph.Model.ConditionalAccessRiskLevel]*

              *ClientAppTypes: System.Collections.Generic.List`1[Microsoft.Open.MSGraph.Model.ConditionalAccessClientApp]*

            *}*

GrantControls : class ConditionalAccessGrantControls {

              *_Operator: OR*

              *BuiltInControls: System.Collections.Generic.List`1[Microsoft.Open.MSGraph.Model.ConditionalAccessGrantControl]*

              *CustomAuthenticationFactors: System.Collections.Generic.List`1[System.String]*

              *TermsOfUse: System.Collections.Generic.List`1[System.String]*

            *}*
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,193 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Kavya 490 Reputation points
    2025-01-22T05:36:49.6066667+00:00

    The Azure AD PowerShell module is being deprecated. You can use Microsoft Graph cmdlets as an alternative. For instance, to retrieve all Conditional Access (CA) policies, you can use the Get-MgIdentityConditionalAccessPolicy cmdlet:

    Get-MgIdentityConditionalAccessPolicy -All | select DisplayName,Description,State,CreatedDateTime

    To get more details,

    Get-MgIdentityConditionalAccessPolicy -All | select *

    However, most properties will be displayed as IDs instead of user-friendly names. In such cases, you can use the Get-MgDirectoryObject cmdlet to convert IDs into readable names.

    For a more comprehensive approach, you can try this PowerShell script to export all CA policies to a CSV file, including 30+ properties like included/excluded users, groups, roles, device platforms, apps, and more: https://o365reports.com/2024/02/20/export-conditional-access-policies-to-excel-using-powershell/


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.