개요
이 PowerShell 스크립트는 Microsoft Entra Internet Access 전달 정책에 사용자 지정 바이패스 규칙을 프로그래밍 방식으로 추가하는 방법을 보여 줍니다. 스크립트는 "사용자 지정 바이패스" 전달 정책을 찾고 지정된 도메인을 우회하는 샘플 규칙을 추가합니다.
샘플에는 Microsoft Graph 베타 PowerShell 모듈 2.10 이상이 필요합니다.
중요한 고려 사항
- 관리자 권한 PowerShell 세션에서 PowerShell 스크립트를 실행합니다.
- Microsoft.Graph.Beta 모듈을 설치해야 합니다.
Install-Module Microsoft.Graph.Beta -AllowClobber -Force - 사용되는
Connect-MgGraph계정에는 다음 권한이 있어야 합니다.- 정책.읽기.모두 (모든 정책 읽기)
- 네트워크 액세스.읽기쓰기.전체
샘플 스크립트
# bypassscript.ps1 adds sample endpoints to the custom bypass policy in the internet access forwarding profile
#
# Version 1.0
#
# This script requires following
# - PowerShell 5.1 (x64) or beyond
# - Module: Microsoft.Graph.Beta
#
# Before you begin:
# - Make sure you are running PowerShell as an Administrator
# - Make sure you run: Install-Module Microsoft.Graph.Beta -AllowClobber -Force
# - Make sure the account used for Connect-MgGraph has the following permissions:
# - Policy.Read.All
# - NetworkAccess.ReadWrite.All
#
if (-not (Get-Module -ListAvailable -Name Microsoft.Graph.Beta.Identity.SignIns)) {
Write-Host "Module Microsoft.Graph.Beta.Identity.SignIns is not installed. Please install it using: Install-Module Microsoft.Graph.Beta -AllowClobber"
exit
}
Import-Module Microsoft.Graph.Beta.Identity.SignIns
Connect-MgGraph -Scopes "Policy.Read.All,NetworkAccess.ReadWrite.All"
# Find out custom bypass forwarding policy id
$custombypass = $null
$forwardingpolicies = Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/beta/networkaccess/forwardingpolicies"
foreach ($policy in $forwardingpolicies.value) {
if ($policy.name -eq "Custom Bypass"){
$custombypass = $policy.id
}
}
if ($custombypass -eq $null) {
Write-Host "Could not find the IA custom bypass forwarding policy. Exiting."
exit
}
# First, Bypass the Intune endpoints
$samplerule = [PSCustomObject]@{
name = "Sample FQDN bypass rule"
action = "bypass"
destinations = @()
ruleType = "fqdn"
ports = @("80", "443")
protocol = "tcp"
'@odata.type' = "#microsoft.graph.networkaccess.internetAccessForwardingRule"
}
$sampledomains = @(
"bing.com",
"*.bing.com"
)
foreach ($sampledomain in $sampledomains) {
$fqdn = [PSCustomObject]@{
'@odata.type' = "#microsoft.graph.networkaccess.fqdn"
value = $sampledomain
}
$samplerule.destinations += $fqdn
}
$body = $samplerule | ConvertTo-Json
Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/beta/networkaccess/forwardingPolicies('$($custombypass)')/policyRules" -Body $body -ContentType "application/json"
# Next, Bypass the sample IP-based endpoints
$sampleipbypassrule = [PSCustomObject]@{
name = "Sample IP bypass rule"
action = "bypass"
destinations = @()
ruleType = "ipSubnet"
ports = @("80", "443")
protocol = "tcp"
'@odata.type' = "#microsoft.graph.networkaccess.internetAccessForwardingRule"
}
$sampleipbypassdomains = @(
"1.2.3.4/32"
)
foreach ($sampleipbypassdomain in $sampleipbypassdomains) {
$ip = [PSCustomObject]@{
'@odata.type' = "#microsoft.graph.networkaccess.ipSubnet"
value = $sampleipbypassdomain
}
$sampleipbypassrule.destinations += $ip
}
$body = $sampleipbypassrule | ConvertTo-Json
Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/beta/networkaccess/forwardingPolicies('$($custombypass)')/policyRules" -Body $body -ContentType "application/json"