Public/generated/Get-KriticalUtcmAADConditionalAccessPolicy.ps1
|
# Kritical.PS.UTCM | Microsoft Graph UTCM REST API toolkit # (c) 2026 Kritical Pty Ltd | https://kritical.net # Kritical brand banner is rendered at module load via Write-KriticalUtcmBanner. function Get-KriticalUtcmAADConditionalAccessPolicy { <# .SYNOPSIS Kritical.UTCM shim for M365DSC resource AADConditionalAccessPolicy. .DESCRIPTION Search-replace safe: callers that today invoke Get-M365DSCAADConditionalAccessPolicy -Credential $cred -TenantId $tid can rename to Get-KriticalUtcmAADConditionalAccessPolicy -Credential $cred -TenantId $tid with ZERO other edits. Parameter shape matches the M365DSC .schema.mof exactly. By default -PreferM365DscBehavior is true. Actual Graph dispatch is delegated to Invoke-KriticalUtcmM365DscSchemaBridge. Bridge maps resource → Graph endpoint per per-resource wave; where mapping is not yet shipped, bridge returns an object with Verdict='UNMAPPED'. .NOTES Workload: Entra Param count: 36 #> [CmdletBinding()] param( # DisplayName of the AAD CA Policy [Parameter(Mandatory)] [string]$DisplayName, # Specifies the GUID for the Policy. [string]$Id, # Specifies the State of the Policy. [ValidateSet('disabled','enabled','enabledForReportingButNotEnforced')] [string]$State, # Rule syntax is similar to that used for membership rules for groups in Microsoft Entra ID. [string]$ApplicationsFilter, # Mode to use for the filter. Possible values are include or exclude. [ValidateSet('include','exclude')] [string]$ApplicationsFilterMode, # Represents the Included Tenants membership kind. The possible values are: all, enumerated, unknownFutureValue. enumerated references an object of conditionalAccessEnumeratedExternalTenants derived type. [ValidateSet('all','enumerated','unknownFutureValue')] [string]$IncludeExternalTenantsMembershipKind, # Represents the Excluded Tenants membership kind. The possible values are: all, enumerated, unknownFutureValue. enumerated references an object of conditionalAccessEnumeratedExternalTenants derived type. [ValidateSet('all','enumerated','unknownFutureValue')] [string]$ExcludeExternalTenantsMembershipKind, # Mode to use for the Service Principal filter. Possible values are include or exclude. 'Attribute Definition Reader' role is needed. [ValidateSet('include','exclude')] [string]$ServicePrincipalFilterMode, # Rule syntax for the Service Principal filter. 'Attribute Definition Reader' role is needed. [string]$ServicePrincipalFilterRule, # Client Device Filter mode of the Policy. [ValidateSet('include','exclude')] [string]$DeviceFilterMode, # Client Device Filter rule of the Policy. [string]$DeviceFilterRule, # Operator to be used for Grant Controls. [ValidateSet('AND','OR')] [string]$GrantControlOperator, # Specifies, whether Application Enforced Restrictions are enabled in the Policy. [bool]$ApplicationEnforcedRestrictionsIsEnabled, # Specifies, whether Cloud App Security is enforced by the Policy. [bool]$CloudAppSecurityIsEnabled, # Specifies, what Cloud App Security control is enforced by the Policy. [string]$CloudAppSecurityType, # Specifies continuous access evaluation settings. The possible values are: disabled, strictEnforcement, strictLocation [ValidateSet('disabled','strictEnforcement','strictLocation')] [string]$ContinuousAccessEvaluationMode, # Specifies if token protection for sign-in sessions is to be enforced by the policy. [bool]$SecureSignInSessionIsEnabled, # Sign in frequency time in the given unit to be enforced by the policy. [int]$SignInFrequencyValue, # Display name of the terms of use to assign. [string]$TermsOfUse, # Sign in frequency unit (days/hours) to be interpreted by the policy. [ValidateSet('Days','Hours')] [string]$SignInFrequencyType, # Specifies, whether sign-in frequency is enforced by the Policy. [bool]$SignInFrequencyIsEnabled, # Sign in frequency interval. Possible values are: 'timeBased', 'everyTime' and 'unknownFutureValue'. [ValidateSet('timeBased','everyTime','unknownFutureValue')] [string]$SignInFrequencyInterval, # Specifies, whether Browser Persistence is controlled by the Policy. [bool]$PersistentBrowserIsEnabled, # Specifies, what Browser Persistence control is enforced by the Policy. [ValidateSet('Always','Never')] [string]$PersistentBrowserMode, # Specifies, if DisableResilienceDefaults is enabled. [bool]$DisableResilienceDefaultsIsEnabled, # Name of the associated authentication strength policy. [string]$AuthenticationStrength, # Names of the associated authentication flow transfer methods. Possible values are '', 'deviceCodeFlow', 'authenticationTransfer', or 'deviceCodeFlow,authenticationTransfer'. [string]$TransferMethods, # Specify if the Azure AD CA Policy should exist or not. [ValidateSet('Present','Absent')] [string]$Ensure, # Credentials for the Microsoft Graph delegated permissions. [string]$Credential, # Id of the Azure Active Directory application to authenticate with. [string]$ApplicationId, # Id of the Azure Active Directory tenant used for authentication. [string]$TenantId, # Secret of the Azure Active Directory application to authenticate with. [string]$ApplicationSecret, # Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. [string]$CertificateThumbprint, # Username can be made up to anything but password will be used for CertificatePassword [string]$CertificatePassword, # Path to certificate used in service principal usually a PFX file. [string]$CertificatePath, # Managed ID being used for authentication. [bool]$ManagedIdentity ) Invoke-KriticalUtcmM365DscSchemaBridge -ResourceName 'AADConditionalAccessPolicy' -Workload 'Entra' -Verb 'Get' -CallerParams $PSBoundParameters } |