Examples/Resources/AADConditionalAccessPolicy/1-ConfigureAADConditionalAccessPolicy.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
<#
This example is used to test new resources and showcase the usage of new resources being worked on.
It is not meant to use as a production baseline.
#>


Configuration Example
{
    param(
        [Parameter(Mandatory = $true)]
        [PSCredential]
        $credsGlobalAdmin
    )
    Import-DscResource -ModuleName Microsoft365DSC

    node localhost
    {
        AADConditionalAccessPolicy Allin-example
        {
            GlobalAdminAccount        = $credsGlobalAdmin;
            BuiltInControls           = @("Mfa", "CompliantDevice", "DomainJoinedDevice", "ApprovedApplication", "CompliantApplication");
            ClientAppTypes            = @("ExchangeActiveSync", "Browser", "MobileAppsAndDesktopClients", "Other");
            CloudAppSecurityIsEnabled = $True;
            CloudAppSecurityType      = "MonitorOnly";
            DisplayName               = "Allin-example";
            Ensure                    = "Present";
            ExcludeApplications       = @("803ee9ca-3f7f-4824-bd6e-0b99d720c35c", "00000012-0000-0000-c000-000000000000", "00000007-0000-0000-c000-000000000000", "Office365");
            ExcludeDevices            = @("Compliant", "DomainJoined");
            ExcludeLocations          = @("Blocked Countries");
            ExcludePlatforms          = @("Windows", "WindowsPhone", "MacOS");
            ExcludeRoles              = @("Company Administrator", "Application Administrator", "Application Developer", "Cloud Application Administrator", "Cloud Device Administrator");
            ExcludeUsers              = @("admin@contoso.com", "AAdmin@contoso.com", "CAAdmin@contoso.com", "AllanD@contoso.com", "AlexW@contoso.com", "GuestsOrExternalUsers");
            GrantControlOperator      = "OR";
            IncludeApplications       = @("All");
            IncludeDevices            = @("All");
            IncludeLocations          = @("AllTrusted");
            IncludePlatforms          = @("Android", "IOS");
            IncludeUserActions        = @();
            IncludeUsers              = @("All");
            PersistentBrowserMode     = "";
            SignInFrequencyIsEnabled  = $True;
            SignInFrequencyType       = "Hours";
            SignInFrequencyValue      = 5;
            SignInRiskLevels          = @("High", "Medium");
            State                     = "disabled";
            UserRiskLevels            = @("High", "Medium");
        }
    }
}