Examples/Resources/AADConditionalAccessPolicy/1-ConfigureAADConditionalAccessPolicy.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
<#
This example is used to test new resources and showcase the usage of new resources being worked on.
It is not meant to use as a production baseline.
#>


Configuration Example
{
    param(
        [Parameter(Mandatory = $true)]
        [PSCredential]
        $credsGlobalAdmin
    )
    Import-DscResource -ModuleName Microsoft365DSC

    node localhost
    {
        AADConditionalAccessPolicy Allin-example
        {
            GlobalAdminAccount         = $credsGlobalAdmin;
            BuiltInControls            = @("Mfa", "CompliantDevice", "DomainJoinedDevice", "ApprovedApplication", "CompliantApplication");
            ClientAppTypes             = @("ExchangeActiveSync", "Browser", "MobileAppsAndDesktopClients", "Other");
            CloudAppSecurityIsEnabled  = $True;
            CloudAppSecurityType       = "MonitorOnly";
            DisplayName                = "Allin-example";
            Ensure                     = "Present";
            ExcludeApplications        = @("803ee9ca-3f7f-4824-bd6e-0b99d720c35c", "00000012-0000-0000-c000-000000000000", "00000007-0000-0000-c000-000000000000", "Office365");
            ExcludeDevices             = @("Compliant", "DomainJoined");
            ExcludeGroups              = @();
            ExcludeLocations           = @("Blocked Countries");
            ExcludePlatforms           = @("Windows", "WindowsPhone", "MacOS");
            ExcludeRoles               = @("Company Administrator", "Application Administrator", "Application Developer", "Cloud Application Administrator", "Cloud Device Administrator");
            ExcludeUsers               = @("admin@contoso.com", "AAdmin@contoso.com", "CAAdmin@contoso.com", "AllanD@contoso.com", "AlexW@contoso.com", "GuestsOrExternalUsers");
            GrantControlOperator       = "OR";
            IncludeApplications        = @("All");
            IncludeDevices             = @("All");
            IncludeGroups              = @();
            IncludeLocations           = @("AllTrusted");
            IncludePlatforms           = @("Android", "IOS");
            IncludeRoles               = @("Compliance Administrator");
            IncludeUserActions         = @();
            IncludeUsers               = @("Alexw@contoso.com");
            PersistentBrowserIsEnabled = $false;
            PersistentBrowserMode      = "";
            SignInFrequencyIsEnabled   = $True;
            SignInFrequencyType        = "Hours";
            SignInFrequencyValue       = 5;
            SignInRiskLevels           = @("High", "Medium");
            State                      = "disabled";
            UserRiskLevels             = @("High", "Medium");
        }
    }
}