Public/Get-GkConditionalAccessTemplate.ps1
|
function Get-GkConditionalAccessTemplate { <# .SYNOPSIS Report Microsoft's built-in Conditional Access policy templates. .DESCRIPTION Reads GET /identity/conditionalAccess/templates — Microsoft's recommended CA policy templates, grouped by scenario (secureFoundation, zeroTrust, protectAdmins, remoteWork, emergingThreats). Useful as a baseline to compare a tenant's existing policies against and to spot missing coverage. Requires Policy.Read.All. .PARAMETER Scenario Filter to templates tagged with a scenario (e.g. protectAdmins). .PARAMETER AsReport Flatten Scenarios to a '; '-joined string and add ReportGeneratedUtc. .EXAMPLE Get-GkConditionalAccessTemplate All CA templates with their scenarios. .EXAMPLE Get-GkConditionalAccessTemplate -Scenario protectAdmins Templates aimed at protecting administrators. .EXAMPLE Get-GkConditionalAccessTemplate -AsReport | Export-Csv .\ca-templates.csv -NoTypeInformation .OUTPUTS PSGraphKit.CaTemplate #> [CmdletBinding()] [OutputType('PSGraphKit.CaTemplate')] param( [string] $Scenario, [switch] $AsReport ) begin { Test-GkConnection -FunctionName 'Get-GkConditionalAccessTemplate' | Out-Null $now = [datetime]::UtcNow } process { $templates = Invoke-GkGraphRequest -Uri '/identity/conditionalAccess/templates' -CallerFunction 'Get-GkConditionalAccessTemplate' foreach ($t in $templates) { $scenarios = @(Get-GkDictValue $t 'scenarios') if ($Scenario -and $Scenario -notin $scenarios) { continue } $obj = [ordered]@{ PSTypeName = 'PSGraphKit.CaTemplate' Name = [string](Get-GkDictValue $t 'name') Description = [string](Get-GkDictValue $t 'description') Scenarios = if ($AsReport) { $scenarios -join '; ' } else { $scenarios } Id = [string](Get-GkDictValue $t 'id') } if ($AsReport) { $obj['ReportGeneratedUtc'] = $now } [pscustomobject]$obj } } } |