-
Notifications
You must be signed in to change notification settings - Fork 5
/
New-CaToUPolicy.ps1
92 lines (78 loc) · 3.27 KB
/
New-CaToUPolicy.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
<#
.NOTES
Required permissions for Application:
Policy.Read.All
Policy.ReadWrite.ConditionalAccess
Application.Read.All
Save Application Secret to xml file
$Password = Get-Credential
$Password | Export-clixml -path .\Secret.xml
.EXAMPLE
Before running the script
$secret = (Import-CLixml -path .\Secret.xml).GetNetworkCredential().password
.\New-CaToUPolicy.ps1 -ApplicationID "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" -AccessSecret $secret -TenatDomainName "TENANT.COM" -TermsOfUseName "TERMS_OF_USE_NAME" -ExcludeUser 'USER@TENANT.COM'
$secret = $null
#>
param (
[Parameter(mandatory=$true)]
[string] $ApplicationID,
[Parameter(mandatory=$true)]
[string] $AccessSecret,
[Parameter(mandatory=$true)]
[string] $TenatDomainName,
[string] $Uri = "https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies",
[Parameter(mandatory=$true)]
[string] $TermsOfUseName,
[Parameter(mandatory=$true)]
[string] $ExcludeUser
)
Start-Transcript -Path .\New-CaToUPolicy.log
Write-Host "Logging to Azure AD" -ForegroundColor Cyan
Connect-AzureAD | out-null
#Region Connection
$Body = @{
Grant_Type = "client_credentials"
Scope = "https://graph.microsoft.com/.default"
client_Id = $ApplicationID
Client_Secret = $AccessSecret
}
$connectGraph = Invoke-RestMethod -Uri "https://login.microsoftonline.com/$TenatDomainName/oauth2/v2.0/token" -Method POST -Body $Body -ContentType 'application/x-www-form-urlencoded'
$authHeader = @{
'Authorization' = "Bearer $($connectGraph.access_token)"
}
#endregion
#region Configure CA Policy for Terms of Use
$displayName = "External Users and Guests - $TermsOfUseName"
$policyChecker = (Invoke-RestMethod -Uri $Uri -Headers $authHeader -Method get).value | Where-Object { $_.DisplayName -eq $displayName }
if ($null -eq $policyChecker) {
$touUri = "https://graph.microsoft.com/beta/identityGovernance/termsOfUse/agreements"
$termsOfUseId = ((Invoke-RestMethod -Headers $authHeader -Uri $touUri -Method get).value | Where-Object { $_.displayName -eq $TermsOfUseName }).id
$excludedUserId = (Get-AzureADUser -SearchString $ExcludeUser).ObjectId
$body = @{
displayName = $displayName
state = "enabled"
grantControls = @{
builtInControls = @('mfa')
operator = "AND"
termsOfUse = @($termsOfUseId)
}
conditions = @{
applications = @{
includeApplications = @("All")
}
clientAppTypes = @("all")
users = @{
includeUsers = @('GuestsOrExternalUsers')
excludeUsers = @($excludedUserId)
}
}
}
$body = $body | ConvertTo-Json -Depth 10
Write-Host "Adding new Conditional Access Policy '$displayName' that will require MFA and Tou for External and Guest users" -ForegroundColor Yellow
Invoke-RestMethod -Headers $authHeader -Uri $uri -body $body -Method Post -ContentType "application/json"
} else {
Write-Host "Conditional Access Policy '$displayName' already exists" -ForegroundColor Yellow
}
#endregion
Write-Host "Script run finished..." -ForegroundColor Cyan
Stop-Transcript