New-EntraConditionalAccessPolicy

Module:

Microsoft.Graph.Entra

Creates a new conditional access policy in Microsoft Entra ID.

Syntax

New-EntraConditionalAccessPolicy
   [-Id <String>]
   [-DisplayName <String>]
   [-State <String>]
   [-Conditions <ConditionalAccessConditionSet>]
   [-GrantControls <ConditionalAccessGrantControls>]
   [-SessionControls <ConditionalAccessSessionControls>]
   [<CommonParameters>]

Description

This cmdlet allows an admin to create new conditional access policy in Microsoft Entra ID.

Conditional access policies are custom rules that define an access scenario.

Examples

Example 1: Creates a new conditional access policy in Microsoft Entra ID that require MFA to access Exchange Online

Connect-Entra -Scopes 'Policy.ReadWrite.ConditionalAccess'
$conditions = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessConditionSet
$conditions.Applications = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessApplicationCondition
$conditions.Applications.IncludeApplications = '00000002-0000-0ff1-ce00-000000000000'
$conditions.Users = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessUserCondition
$conditions.Users.IncludeUsers = 'all'
$controls = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessGrantControls
$controls._Operator = 'OR'
$controls.BuiltInControls = 'mfa'

$params = @{
    DisplayName = 'MFA policy'
    State = 'Enabled'
    Conditions = $conditions
    GrantControls = $controls
}

New-EntraConditionalAccessPolicy @params

Id                                   CreatedDateTime     Description DisplayName ModifiedDateTime State   TemplateId
--                                   ---------------     ----------- ----------- ---------------- -----   ----------
aaaaaaaa-1111-1111-1111-000000000000 16/08/2024 07:29:09             MFA policy                   enabled

This command creates a new conditional access policy in Microsoft Entra ID that requires MFA to access Exchange Online.

• -DisplayName parameter specifies the display name of a conditional access policy.
• -State parameter specifies the enabled or disabled state of the conditional access policy.
• -Conditions parameter specifies the conditions for the conditional access policy.
• -GrantControls parameter specifies the controls for the conditional access policy.
• -SessionControls parameter Enables limited experiences within specific cloud applications.

Example 2: Creates a new conditional access policy in Microsoft Entra ID that blocks access to Exchange Online from nontrusted regions

Connect-Entra -Scopes 'Policy.ReadWrite.ConditionalAccess'
$conditions = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessConditionSet
$conditions.Applications = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessApplicationCondition
$conditions.Applications.IncludeApplications = '00000002-0000-0ff1-ce00-000000000000'
$conditions.Users = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessUserCondition
$conditions.Users.IncludeUsers = 'all'
$conditions.Locations = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessLocationCondition
$conditions.Locations.IncludeLocations = '5eeeeee5-6ff6-7aa7-8bb8-9cccccccccc9'
$controls = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessGrantControls
$controls._Operator = 'OR'
$controls.BuiltInControls = 'block'

$params = @{
    DisplayName = 'MFA policy'
    State = 'Enabled'
    Conditions = $conditions
    GrantControls = $controls
}

New-EntraConditionalAccessPolicy @params

Id                                   CreatedDateTime     Description DisplayName ModifiedDateTime State   TemplateId
--                                   ---------------     ----------- ----------- ---------------- -----   ----------
aaaaaaaa-1111-1111-1111-000000000000 16/08/2024 07:31:25             MFA policy                   enabled

This command creates a new conditional access policy in Microsoft Entra ID that blocks access to Exchange Online from nontrusted regions.

• -DisplayName parameter specifies the display name of a conditional access policy.
• -State parameter specifies the enabled or disabled state of the conditional access policy.
• -Conditions parameter specifies the conditions for the conditional access policy.
• -GrantControls parameter specifies the controls for the conditional access policy.

Example 3: Use all conditions and controls

Connect-Entra -Scopes 'Policy.ReadWrite.ConditionalAccess'

$Condition = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessConditionSet
$Condition.clientAppTypes = @("mobileAppsAndDesktopClients","browser")
$Condition.Applications = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessApplicationCondition
$Condition.Applications.IncludeApplications = "00000002-0000-0ff1-ce00-000000000000"
$Condition.Users = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessUserCondition
$Condition.Users.IncludeUsers = "all"

$Controls = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessGrantControls
$Controls._Operator = "AND"
$Controls.BuiltInControls = @("mfa")

$SessionControls = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessSessionControls
$ApplicationEnforcedRestrictions = New-Object Microsoft.Open.MSGraph.Model.ConditionalAccessApplicationEnforcedRestrictions
$ApplicationEnforcedRestrictions.IsEnabled = $true
$SessionControls.applicationEnforcedRestrictions = $ApplicationEnforcedRestrictions
$params = @{
     DisplayName = "ConditionalAccessPolicy"
     Conditions = $conditions
     GrantControls = $controls
     SessionControls = $SessionControls
 }
New-EntraConditionalAccessPolicy @params

Id                                   CreatedDateTime     Description DisplayName ModifiedDateTime State   TemplateId
--                                   ---------------     ----------- ----------- ---------------- -----   ----------
aaaaaaaa-1111-1111-1111-000000000000 16/08/2024 07:31:25             ConditionalAccessPolicy                 enabled

This example creates new conditional access policy in Microsoft Entra ID with all the conditions and controls.

• -DisplayName parameter specifies the display name of a conditional access policy.
• -Conditions parameter specifies the conditions for the conditional access policy.
• -GrantControls parameter specifies the controls for the conditional access policy.
• -SessionControls parameter Enables limited experiences within specific cloud applications.

Parameters

-Conditions

Specifies the conditions for the conditional access policy in Microsoft Entra ID.

Type:	ConditionalAccessConditionSet
Position:	Named
Default value:	None
Required:	True
Accept pipeline input:	False
Accept wildcard characters:	False

-DisplayName

Specifies the display name of a conditional access policy in Microsoft Entra ID.

Type:	System.String
Position:	Named
Default value:	None
Required:	True
Accept pipeline input:	False
Accept wildcard characters:	False

-GrantControls

Specifies the controls for the conditional access policy in Microsoft Entra ID.

Type:	ConditionalAccessGrantControls
Position:	Named
Default value:	None
Required:	True
Accept pipeline input:	False
Accept wildcard characters:	False

-Id

Specifies the policy Id of a conditional access policy in Microsoft Entra ID.

Type:	System.String
Position:	Named
Default value:	None
Required:	False
Accept pipeline input:	False
Accept wildcard characters:	False

-SessionControls

Enables limited experiences within specific cloud applications.

Type:	ConditionalAccessSessionControls
Position:	Named
Default value:	None
Required:	True
Accept pipeline input:	False
Accept wildcard characters:	False

-State

Specifies the enabled or disabled state of the conditional access policy in Microsoft Entra ID.

Type:	System.String
Position:	Named
Default value:	None
Required:	False
Accept pipeline input:	False
Accept wildcard characters:	False

Related Links

• Get-EntraConditionalAccessPolicy
• Set-EntraConditionalAccessPolicy
• Remove-EntraConditionalAccessPolicy