Public/generated/Get-KriticalUtcmAADConditionalAccessPolicy.ps1

# Kritical.PS.UTCM | Microsoft Graph UTCM REST API toolkit
# (c) 2026 Kritical Pty Ltd | https://kritical.net
# Kritical brand banner is rendered at module load via Write-KriticalUtcmBanner.

function Get-KriticalUtcmAADConditionalAccessPolicy {
<#
.SYNOPSIS
    Kritical.UTCM shim for M365DSC resource AADConditionalAccessPolicy.

.DESCRIPTION

    Search-replace safe: callers that today invoke
        Get-M365DSCAADConditionalAccessPolicy -Credential $cred -TenantId $tid
    can rename to
        Get-KriticalUtcmAADConditionalAccessPolicy -Credential $cred -TenantId $tid
    with ZERO other edits. Parameter shape matches the M365DSC .schema.mof
    exactly. By default -PreferM365DscBehavior is true.

    Actual Graph dispatch is delegated to Invoke-KriticalUtcmM365DscSchemaBridge.
    Bridge maps resource → Graph endpoint per per-resource wave; where mapping
    is not yet shipped, bridge returns an object with Verdict='UNMAPPED'.

.NOTES
    Workload: Entra
    Param count: 36
#>

[CmdletBinding()]
param(
        # DisplayName of the AAD CA Policy
[Parameter(Mandatory)] [string]$DisplayName,
        # Specifies the GUID for the Policy.
[string]$Id,
        # Specifies the State of the Policy.
[ValidateSet('disabled','enabled','enabledForReportingButNotEnforced')] [string]$State,
        # Rule syntax is similar to that used for membership rules for groups in Microsoft Entra ID.
[string]$ApplicationsFilter,
        # Mode to use for the filter. Possible values are include or exclude.
[ValidateSet('include','exclude')] [string]$ApplicationsFilterMode,
        # Represents the Included Tenants membership kind. The possible values are: all, enumerated, unknownFutureValue. enumerated references an object of conditionalAccessEnumeratedExternalTenants derived type.
[ValidateSet('all','enumerated','unknownFutureValue')] [string]$IncludeExternalTenantsMembershipKind,
        # Represents the Excluded Tenants membership kind. The possible values are: all, enumerated, unknownFutureValue. enumerated references an object of conditionalAccessEnumeratedExternalTenants derived type.
[ValidateSet('all','enumerated','unknownFutureValue')] [string]$ExcludeExternalTenantsMembershipKind,
        # Mode to use for the Service Principal filter. Possible values are include or exclude. 'Attribute Definition Reader' role is needed.
[ValidateSet('include','exclude')] [string]$ServicePrincipalFilterMode,
        # Rule syntax for the Service Principal filter. 'Attribute Definition Reader' role is needed.
[string]$ServicePrincipalFilterRule,
        # Client Device Filter mode of the Policy.
[ValidateSet('include','exclude')] [string]$DeviceFilterMode,
        # Client Device Filter rule of the Policy.
[string]$DeviceFilterRule,
        # Operator to be used for Grant Controls.
[ValidateSet('AND','OR')] [string]$GrantControlOperator,
        # Specifies, whether Application Enforced Restrictions are enabled in the Policy.
[bool]$ApplicationEnforcedRestrictionsIsEnabled,
        # Specifies, whether Cloud App Security is enforced by the Policy.
[bool]$CloudAppSecurityIsEnabled,
        # Specifies, what Cloud App Security control is enforced by the Policy.
[string]$CloudAppSecurityType,
        # Specifies continuous access evaluation settings. The possible values are: disabled, strictEnforcement, strictLocation
[ValidateSet('disabled','strictEnforcement','strictLocation')] [string]$ContinuousAccessEvaluationMode,
        # Specifies if token protection for sign-in sessions is to be enforced by the policy.
[bool]$SecureSignInSessionIsEnabled,
        # Sign in frequency time in the given unit to be enforced by the policy.
[int]$SignInFrequencyValue,
        # Display name of the terms of use to assign.
[string]$TermsOfUse,
        # Sign in frequency unit (days/hours) to be interpreted by the policy.
[ValidateSet('Days','Hours')] [string]$SignInFrequencyType,
        # Specifies, whether sign-in frequency is enforced by the Policy.
[bool]$SignInFrequencyIsEnabled,
        # Sign in frequency interval. Possible values are: 'timeBased', 'everyTime' and 'unknownFutureValue'.
[ValidateSet('timeBased','everyTime','unknownFutureValue')] [string]$SignInFrequencyInterval,
        # Specifies, whether Browser Persistence is controlled by the Policy.
[bool]$PersistentBrowserIsEnabled,
        # Specifies, what Browser Persistence control is enforced by the Policy.
[ValidateSet('Always','Never')] [string]$PersistentBrowserMode,
        # Specifies, if DisableResilienceDefaults is enabled.
[bool]$DisableResilienceDefaultsIsEnabled,
        # Name of the associated authentication strength policy.
[string]$AuthenticationStrength,
        # Names of the associated authentication flow transfer methods. Possible values are '', 'deviceCodeFlow', 'authenticationTransfer', or 'deviceCodeFlow,authenticationTransfer'.
[string]$TransferMethods,
        # Specify if the Azure AD CA Policy should exist or not.
[ValidateSet('Present','Absent')] [string]$Ensure,
        # Credentials for the Microsoft Graph delegated permissions.
[string]$Credential,
        # Id of the Azure Active Directory application to authenticate with.
[string]$ApplicationId,
        # Id of the Azure Active Directory tenant used for authentication.
[string]$TenantId,
        # Secret of the Azure Active Directory application to authenticate with.
[string]$ApplicationSecret,
        # Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.
[string]$CertificateThumbprint,
        # Username can be made up to anything but password will be used for CertificatePassword
[string]$CertificatePassword,
        # Path to certificate used in service principal usually a PFX file.
[string]$CertificatePath,
        # Managed ID being used for authentication.
[bool]$ManagedIdentity
)
    Invoke-KriticalUtcmM365DscSchemaBridge -ResourceName 'AADConditionalAccessPolicy' -Workload 'Entra' -Verb 'Get' -CallerParams $PSBoundParameters
}