Conditional Access: Programmatic access
Many organizations have expressed their need to manage as much of their environments like code as possible. Using Microsoft Graph you can treat Conditional Access policies like any other piece of code in your environment.
Microsoft Graph provides a unified programmability model that organizations can use to interact with data in Microsoft 365, Windows 10, and Enterprise Mobility + Security. For more information about Microsoft Graph, see the article, Overview of Microsoft Graph.
The following examples are provided as is with no support. You can use these examples as a basis for tooling in your organization.
Many of the following examples use tools like Managed Identities, Logic Apps, OneDrive, Teams, and Azure Key Vault.
Due to the planned deprecation of PowerShell modules (MSOL & AAD) after December 2022, no further updates are planned for these modules to support new Conditional Access features. See recent announcements for more information: https://aka.ms/AzureADPowerShellDeprecation. New Conditional Access features may not be available or may not be functional within these PowerShell modules as a result of this announcement. Please consider migrating to Microsoft Graph PowerShell. Additional guidance and examples will be released soon.
For many administrators, PowerShell is already an understood scripting tool. The following example shows how to use the Azure AD PowerShell module to manage Conditional Access policies.
Microsoft Graph APIs
This example shows the basic Create, Read, Update, and Delete (CRUD) options available in the Conditional Access APIs in Microsoft Graph. The example also includes some JSON templates you can use to create some sample policies.
Configure using templates
Use Conditional Access APIs to deploy Conditional Access policies in your pre-production environment using a template.
This example models safer deployment practices with approval workflows that can copy Conditional Access policies from one environment, like pre-production, to another, like your production environment.
This example provides a mechanism to perform a staged deployment Conditional Access policies gradually to your user population, allowing you to manage support impact and spot issues early.
This example provides a mechanism to monitor Conditional Access policy changes over time and can trigger alerts when key policies are changed.
Backup and restore
Automate the backup and restoration of Conditional Access policies with approvals in Teams using this example.
- Manage the backup and restore process of Conditional Access policies using Microsoft Graph API calls
Emergency access accounts
Multiple administrators may create Conditional Access policies and may forget to add your emergency access accounts as an exclusion to those policies. This example ensures that all policies are updated to include your designated emergency access accounts.
- Manage the assignment of emergency access accounts to Conditional Access policies using Microsoft Graph API calls
Things don't always work the way you want, when that happens you need a way to get back to a state where work can continue. The following example provides you a way to revert your policies to a known good contingency plan and disable other Conditional Access policies.
These samples are available in our GitHub repository. We are happy to support community contributions through GitHub Issues and Pull Requests.
Submit and view feedback for