Set Conditional Access Policy "Filter for devices" via Powershell

TLQA 21 Reputation points
2022-09-01T07:07:29.177+00:00

Hello all,

a Microsoft Moderator send me to this forum.
(https://answers.microsoft.com/en-us/msoffice/forum/all/set-conditional-access-policy-filter-for-devices/178f7b3d-7564-46e2-867c-81655e12aec7?messageId=cb22c360-1b6c-425e-8002-413366d561ae)

hopefully someone can help me with this topic.

I currently try to set "filter for devices" via Powershell for our conditional access policy but I cant figure out how to do it.

The goal is to set the syntax in the "fliter for devices" via powershell to example: "evice.deviceId -eq "some serial number" -or device.deviceId -eq "some serial number"

First I tried to read the set values to find out how I could set them but It seems there is no class for "filter for devices".

((Get-AzureADMSConditionalAccessPolicy -PolicyId somepolicyID).Conditions)

Output:

Applications     : class ConditionalAccessApplicationCondition {  
  
                     IncludeApplications: System.Collections.Generic.List`1[System.String]  
  
                     ExcludeApplications: System.Collections.Generic.List`1[System.String]  
  
                     IncludeUserActions: System.Collections.Generic.List`1[System.String]  
  
                     IncludeProtectionLevels:   
  
                   }  
  
                     
  
Users            : class ConditionalAccessUserCondition {  
  
                     IncludeUsers: System.Collections.Generic.List`1[System.String]  
  
                     ExcludeUsers: System.Collections.Generic.List`1[System.String]  
  
                     IncludeGroups: System.Collections.Generic.List`1[System.String]  
  
                     ExcludeGroups: System.Collections.Generic.List`1[System.String]  
  
                     IncludeRoles: System.Collections.Generic.List`1[System.String]  
  
                     ExcludeRoles: System.Collections.Generic.List`1[System.String]  
  
                   }  
  
                     
  
Platforms        : class ConditionalAccessPlatformCondition {  
  
                     IncludePlatforms: System.Collections.Generic.List`1[Microsoft.Open.MSGraph.Model.ConditionalAccessDevicePlatforms]  
  
                     ExcludePlatforms: System.Collections.Generic.List`1[Microsoft.Open.MSGraph.Model.ConditionalAccessDevicePlatforms]  
  
                   }  
  
                     
  
Locations        :   
  
SignInRiskLevels : {}  
  
ClientAppTypes   : {All}  

236835-pic1.png

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,421 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Vasil Michev 95,081 Reputation points MVP
    2022-09-01T08:05:39.297+00:00

    The AAD PowerShell module uses outdated APIs, switch to the Microsoft Graph SDK for PowerShell or better yet, run direct Graph API requests instead. Here's the relevant documentation: https://learn.microsoft.com/en-us/graph/api/conditionalaccessroot-post-policies?view=graph-rest-beta&tabs=http

    And the deviceFilter resource type: https://learn.microsoft.com/en-us/graph/api/resources/conditionalaccessdevices?view=graph-rest-1.0

    0 comments No comments