NLBaselineCA

1.0.0

Public/Remove-NLBaselineCAAllPolicies.ps1

function Remove-NLBaselineCAAllPolicies {
    <#
    .SYNOPSIS
    Remove all Conditional Access policies (with optional prefix filter)
     
    .DESCRIPTION
    Removes all Conditional Access policies from the tenant. Optionally filters by prefix.
    Includes multiple confirmation prompts for safety.
     
    .EXAMPLE
    Remove-NLBaselineCAAllPolicies -PrefixFilter "CA200"
    Removes all policies starting with "CA200"
     
    .EXAMPLE
    Remove-NLBaselineCAAllPolicies
    Removes ALL policies (requires confirmation)
    #>
    
    [CmdletBinding(SupportsShouldProcess)]
    param(
        [Parameter(Mandatory = $false)]
        [string]$PrefixFilter = ""
    )
    
    try {
        # Check connection
        $context = Get-MgContext -ErrorAction SilentlyContinue
        if (-not $context -or -not $context.TenantId) {
            Write-Host "Not connected to Microsoft 365. Connecting..." -ForegroundColor Yellow
            Write-Host ""
            $connection = Connect-NLBaselineCA
            if (-not $connection) {
                Write-Error "Cannot connect to Microsoft 365"
                return
            }
            $context = Get-MgContext
        }
        
        Write-Host "========================================" -ForegroundColor Red
        Write-Host " REMOVE ALL POLICIES" -ForegroundColor Red
        Write-Host "========================================" -ForegroundColor Red
        Write-Host ""
        
        # Get all policies
        Write-Host "Retrieving Conditional Access policies..." -ForegroundColor Yellow
        $allPolicies = Get-AllConditionalAccessPolicies
        
        if (-not $allPolicies -or $allPolicies.Count -eq 0) {
            Write-Host "No policies found to remove." -ForegroundColor Yellow
            return
        }
        
        # Filter by prefix if specified
        $policiesToRemove = if ($PrefixFilter) {
            $allPolicies | Where-Object { $_.DisplayName -like "$PrefixFilter*" }
        }
        else {
            $allPolicies
        }
        
        if (-not $policiesToRemove -or $policiesToRemove.Count -eq 0) {
            Write-Host "No policies found matching filter." -ForegroundColor Yellow
            return
        }
        
        Write-Host ""
        Write-Host "WARNING: This will permanently delete $($policiesToRemove.Count) policy/policies!" -ForegroundColor Red
        if ($PrefixFilter) {
            Write-Host "Filter: Policies starting with '$PrefixFilter'" -ForegroundColor Yellow
        }
        else {
            Write-Host "Filter: ALL policies (no filter)" -ForegroundColor Yellow
        }
        Write-Host ""
        
        # Show first 10 policies that will be deleted
        Write-Host "Policies to be deleted (showing first 10):" -ForegroundColor Yellow
        $policiesToRemove | Select-Object -First 10 | ForEach-Object {
            Write-Host " - $($_.DisplayName) (ID: $($_.Id))" -ForegroundColor Gray
        }
        if ($policiesToRemove.Count -gt 10) {
            Write-Host " ... and $($policiesToRemove.Count - 10) more" -ForegroundColor Gray
        }
        Write-Host ""
        
        # First confirmation
        Write-Host "FIRST CONFIRMATION:" -ForegroundColor Red
        $confirm1 = Read-Host "Type 'DELETE' to confirm deletion of $($policiesToRemove.Count) policy/policies"
        
        if ($confirm1 -ne "DELETE") {
            Write-Host "Deletion cancelled. First confirmation failed." -ForegroundColor Yellow
            return
        }
        
        Write-Host ""
        Write-Host "SECOND CONFIRMATION:" -ForegroundColor Red
        $confirm2 = Read-Host "Type 'YES' to proceed with permanent deletion"
        
        if ($confirm2 -ne "YES") {
            Write-Host "Deletion cancelled. Second confirmation failed." -ForegroundColor Yellow
            return
        }
        
        Write-Host ""
        Write-Host "Starting deletion..." -ForegroundColor Yellow
        Write-Host ""
        
        $deletedCount = 0
        $errors = @()
        
        foreach ($policy in $policiesToRemove) {
            try {
                Write-Host "Deleting: $($policy.DisplayName)" -ForegroundColor Yellow
                
                $invokeCmd = Get-Command Invoke-MgGraphRequest -ErrorAction SilentlyContinue
                if ($invokeCmd) {
                    Invoke-MgGraphRequest -Method DELETE `
                        -Uri "https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies/$($policy.Id)" `
                        -ErrorAction Stop
                    
                    Write-Host " Deleted: $($policy.DisplayName)" -ForegroundColor Green
                    $deletedCount++
                }
                else {
                    throw "Invoke-MgGraphRequest not available"
                }
            }
            catch {
                $errors += "Error deleting $($policy.DisplayName): $_"
                Write-Host " Error: $($policy.DisplayName) - $_" -ForegroundColor Red
            }
        }
        
        Write-Host ""
        Write-Host "========================================" -ForegroundColor Green
        Write-Host " SUMMARY" -ForegroundColor Green
        Write-Host "========================================" -ForegroundColor Green
        Write-Host "Deleted: $deletedCount policy/policies" -ForegroundColor White
        if ($errors.Count -gt 0) {
            Write-Host "Errors: $($errors.Count)" -ForegroundColor Red
            foreach ($error in $errors) {
                Write-Host " - $error" -ForegroundColor Yellow
            }
        }
        Write-Host ""
    }
    catch {
        Write-Error "Error removing policies: $_"
    }
}