Public/Set-NLBaselineCAPoliciesMode.ps1
|
function Set-NLBaselineCAPoliciesMode { <# .SYNOPSIS Toggle Conditional Access policies between Report-only and Enabled .DESCRIPTION Allows toggling policies between report-only mode and enabled mode #> [CmdletBinding()] param() try { # Check connection $context = Get-MgContext -ErrorAction SilentlyContinue if (-not $context -or -not $context.TenantId) { Write-Host "Not connected to Microsoft 365. Connecting..." -ForegroundColor Yellow Write-Host "" $connection = Connect-NLBaselineCA if (-not $connection) { Write-Error "Cannot connect to Microsoft 365" return } $context = Get-MgContext } Write-Host "Toggle Policy Mode" -ForegroundColor Cyan Write-Host "" Write-Host "1. Set to Report-only (enabledForReportingButNotEnforced)" -ForegroundColor White Write-Host "2. Set to Enabled" -ForegroundColor White Write-Host "" $modeChoice = Read-Host "Select mode (1 or 2)" $newState = if ($modeChoice -eq "1") { "enabledForReportingButNotEnforced" } else { "enabled" } Write-Host "" $prefixFilter = Read-Host "Enter prefix filter (optional, leave empty for all policies)" Write-Host "" Write-Host "Retrieving policies..." -ForegroundColor Yellow # Get policies using helper function with REST API fallback $allPolicies = Get-AllConditionalAccessPolicies # Filter by prefix if specified $policiesToUpdate = if ($prefixFilter) { $allPolicies | Where-Object { $_.displayName -like "$prefixFilter*" } } else { $allPolicies } if (-not $policiesToUpdate -or $policiesToUpdate.Count -eq 0) { Write-Host "No policies found matching filter." -ForegroundColor Yellow return } Write-Host "Found $($policiesToUpdate.Count) policy/policies to update" -ForegroundColor Green Write-Host "" $confirm = Read-Host "Continue? (Y/N)" if ($confirm -ne 'Y' -and $confirm -ne 'y') { Write-Host "Cancelled." -ForegroundColor Yellow return } $updatedCount = 0 foreach ($policy in $policiesToUpdate) { if ($policy.state -eq "disabled") { Write-Host " Skipping disabled policy: $($policy.displayName)" -ForegroundColor Gray continue } try { $invokeCmd = Get-Command Invoke-MgGraphRequest -ErrorAction SilentlyContinue if ($invokeCmd) { $body = @{ state = $newState } | ConvertTo-Json $null = Invoke-MgGraphRequest -Method PATCH ` -Uri "https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies/$($policy.id)" ` -Body $body ` -ContentType "application/json" ` -ErrorAction Stop Write-Host " Updated: $($policy.displayName) -> $newState" -ForegroundColor Green $updatedCount++ } else { Update-MgIdentityConditionalAccessPolicy ` -ConditionalAccessPolicyId $policy.id ` -State $newState ` -ErrorAction Stop Write-Host " Updated: $($policy.displayName) -> $newState" -ForegroundColor Green $updatedCount++ } } catch { Write-Host " Failed to update $($policy.displayName): $_" -ForegroundColor Red } } Write-Host "" Write-Host "Updated $updatedCount policy/policies" -ForegroundColor Green } catch { Write-Error "Error updating policies: $_" } } |