Microsoft Entra Internet Access에 장애나 연결 실패가 발생해도 사용자는 계속 보호됩니다. 그러나 "긴급 조치"로 일시적으로 트래픽 전달 프로필과 준수 네트워크 조건 정책을 비활성화하면, 사용자들이 생산성을 유지하기 위해 Microsoft 앱에 다시 액세스할 수 있도록 도와줄 수 있습니다.
아래에서는 트래픽 전달을 신속하게 사용하지 않도록 설정하고 준수 네트워크 조건을 사용하여 조건부 액세스 정책을 보고서 전용 모드로 전환하는 데 도움이 되는 샘플 스크립트를 볼 수 있습니다.
비상 접근 시나리오에서 준수 네트워크 조건을 사용하여 조건부 액세스 정책을 목록화하고 비활성화합니다.
PowerShell 스크립트는 규격 네트워크 조건을 사용하는 조건부 액세스 정책을 효과적으로 사용하지 않도록 설정합니다. 긴급 상황에서 이 스크립트를 사용하여 일시적으로 사용자에 대한 액세스 권한을 다시 얻을 수 있습니다.
샘플에는 Microsoft Graph 베타 PowerShell 모듈 2.10 이상이 필요합니다.
# gsabreakglass.ps1 places the Compliant Network Conditional Access Policies for a given tenant using Microsoft Entra Internet Access into Report-Only mode.
#
# Version 1.0
#
# This script requires following
# - PowerShell 5.1 (x64) or beyond
# - Module: Microsoft.Graph.Beta
#
#
# Before you begin:
#
# - Make sure you are running PowerShell as an Administrator
# - Make sure your Administrator persona is an leveraging an Entra ID emergency access admin account, not subject to Microsoft Entra Internet Access Compliant Network policy, as described in https://learn.microsoft.com/entra/identity/role-based-access-control/security-emergency-access.
# - Make sure you run: Install-Module Microsoft.Graph.Beta -AllowClobber -Force
Import-Module Microsoft.Graph.Beta.Identity.SignIns
Connect-MgGraph -Scopes "Policy.Read.All,Policy.ReadWrite.ConditionalAccess,NetworkAccess.ReadWrite.All"
$result = @()
$timeRun = Get-Date
$result += "Script was run at $($timeRun)"
$count = 0
# Search for any Conditional Access policies leveraging the Compliant Network condition.
$allCAPolicies = Get-MgBetaIdentityConditionalAccessPolicy
$allCompliantNetworkCAPolicies = @()
foreach ($policy in $allCAPolicies)
{
if ($policy.conditions.locations.excludeLocations -Contains "3d46dbda-8382-466a-856d-eb00cbc6b910" -or $policy.conditions.locations.includeLocations -Contains "3d46dbda-8382-466a-856d-eb00cbc6b910")
{
$allCompliantNetworkCAPolicies += $policy
}
}
$compliantNetworkCount = $allCompliantNetworkCAPolicies.Count
$result += "Total count of Compliant Network Conditional Access policies: $($compliantNetworkCount)"
# List + Save the list of Compliant Network Conditional Access policies to the C:\BreakGlass folder for use in .\breakglass.ps1
foreach ($policy in $allCompliantNetworkCAPolicies)
{
$current = Get-MgBetaIdentityConditionalAccessPolicy -ConditionalAccessPolicyId $policy.id
$currentState = $current.state
$currentTime = Get-Date
$policyContent = "{0},{1},{2},{3},{4}" -f $policy.displayName, $policy.id, "Current State: $($currentState) at $($currentTime)", $policy.CreatedDateTime, $policy.ModifiedDateTime
$result += $policyContent
Write-Host "Conditional Access Policy with ID: $($policy.id) (state: $($current.state)) uses the Compliant Network Condition. Policy name: $($policy.displayName)"
}
$result += " "
$path = "C:\BreakGlass\ListCompliantNetworkCAPolicies.txt"
if (Test-Path $path)
{
$result | Out-File -FilePath $path
} else {
New-Item -Force -Path $path -Type File
$result | Out-File -FilePath $path
}
Write-Host "`nList of Compliant NW policies has been exported to C:\BreakGlass\ListCompliantNetworkCAPolicies.txt`n"
$result = @()
$timeRun = Get-Date
$result += "Script was run at $($timeRun)"
$count = 0
$result += "Total count of Compliant Network Conditional Access policies: $($allCompliantNetworkCAPolicies.Count)"
# Based on admin input, disable either all or some Conditional Access policies leveraging the Compliant Network Condition.
$action = Read-Host "Do you want to put all enabled compliant network Conditional Access policies in Report-Only mode (type 'all') or just specific policy IDs (type 'ids')?"
if ($action -eq "all")
{
foreach ($policy in $allCompliantNetworkCAPolicies)
{
if ($policy)
{
#only BreakGlass if policy is already enabled
if ($policy.state -eq "enabled")
{
$params = @{
state = "enabledForReportingButNotEnforced"
}
$current = Get-MgBetaIdentityConditionalAccessPolicy -ConditionalAccessPolicyId $policy.id
$currentState = $current.state
$currentTime = Get-Date
Update-MgBetaIdentityConditionalAccessPolicy -ConditionalAccessPolicyId $policy.id -BodyParameter $params
$updatedTime = Get-Date
$check = Get-MgBetaIdentityConditionalAccessPolicy -ConditionalAccessPolicyId $policy.id
$updatedState = $check.state
if ($updatedState -eq "enabledForReportingButNotEnforced")
{
$policyContent = "{0},{1},{2},{3},{4},{5}" -f $policy.displayName, $policy.id, $policy.CreatedDateTime, $policy.ModifiedDateTime, "Before BreakGlass: $($currentState) at $($currentTime)", "After BreakGlass: $($updatedState) at $($updatedTime)"
$result += $policyContent
$count++
Write-Host "Policy with ID $($policy.id) is now in Report-Only mode"
} else {
Write-Host "Policy with ID $($policy.id) could not be put in Report-Only mode"
}
} else {
Write-Host "Policy with ID $($policy.id) is already Disabled or Report-Only."
}
} else {
Write-Host "Policy with ID $($policy.id) was not found."
}
}
} elseif ($action -eq "ids") {
$policyIds = Read-Host "Enter the IDs of the policies you want to put in Report-Only mode (separated by commas)"
$policyIds = $policyIds -split ","
foreach ($id in $policyIds)
{
$policy = $allCompliantNetworkCAPolicies | Where-Object { $_.id -eq $id }
if ($policy)
{
if ($policy.state -eq "enabled")
{
$params = @{
state = "enabledForReportingButNotEnforced"
}
$current = Get-MgBetaIdentityConditionalAccessPolicy -ConditionalAccessPolicyId $policy.id
$currentState = $current.state
$currentTime = Get-Date
Update-MgBetaIdentityConditionalAccessPolicy -ConditionalAccessPolicyId $policy.id -BodyParameter $params
$updatedTime = Get-Date
$check = Get-MgBetaIdentityConditionalAccessPolicy -ConditionalAccessPolicyId $policy.id
$updatedState = $check.state
if ($updatedState -eq "enabledForReportingButNotEnforced")
{
$policyContent = "{0},{1},{2},{3},{4},{5}" -f $policy.displayName, $policy.id, $policy.CreatedDateTime, $policy.ModifiedDateTime, "Before BreakGlass: $($currentState) at $($currentTime)", "After BreakGlass: $($updatedState) at $($updatedTime)"
$result += $policyContent
$count++
Write-Host "Policy with ID $($policy.id) is now in Report-Only mode."
} else {
Write-Host "Policy with ID $($policy.id) could not be put in Report-Only mode"
}
} else {
Write-Host "Policy with ID $($policy.id) is already Disabled or Report-Only."
}
} else {
Write-Host "Policy with ID $id not found."
}
}
} else {
Write-Host "Invalid action. Please type 'all' or 'ids'."
}
# Save the list of Compliant Network Conditional Access policies that were moved to Report-Only mode to the C:\BreakGlass folder for use in .\breakglass.ps1
$result += "Number of policies placed in Report-Only mode: $($count)"
$path = "C:\BreakGlass\ReportOnlyCompliantNetworkCAPolicies.txt"
if (Test-Path $path)
{
$result | Out-File -FilePath $path
} else {
New-Item -Force -Path $path -Type File
$result | Out-File -FilePath $path
}
Write-Host "`nCA policy disablement results have been exported to C:\BreakGlass\ReportOnlyCompliantNetworkCAPolicies.txt`n"
# Disable Traffic Profiles
$forwardingResult = @()
$timeRun = Get-Date
$result = "Script was run at $($timeRun)`n"
$forwardingProfiles = Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/beta/networkaccess/forwardingprofiles"
foreach ($profile in $forwardingProfiles.value)
{
if ($profile.state -eq "enabled") {
$body = @{ state = "disabled" } | ConvertTo-Json
$check = Invoke-MgGraphRequest -Method PATCH -Uri "https://graph.microsoft.com/beta/networkaccess/forwardingprofiles/$($profile.id)" -Body $body -ContentType "application/json"
if ($check.state -eq "disabled") {
$profileContent = "{0},{1},{2}`n" -f $profile.name, $profile.id, $profile.lastModifiedDateTime
$result += $profileContent
Write-Host "$($profile.name) is now disabled."
} else {
Write-Host "$($profile.name) can't be disabled."
}
} else{
Write-Host "$($profile.name) is already disabled."
}
}
# Save the list of disabled Forwarding profiles to C:\BreakGlass folder
$path = "C:\BreakGlass\DisabledForwardingProfiles.txt"
if (Test-Path $path)
{
$result | Out-File -FilePath $path
} else {
New-Item -Force -Path $path -Type File
$result | Out-File -FilePath $path
}
Write-Host "`nDisabled Forwarding Profiles have been exported to C:\BreakGlass\DisabledForwardingProfiles.txt`n"