Public/Intune/Get-ConditionalAccessPolicy.ps1

function Get-ConditionalAccessPolicy {
    param (

    )
    $SPHash = @{ }
    $SPList = Get-AzureADServicePrincipal
    foreach ($SP in $SPList) {
        $SPHash[$SP.appId] = $SP.displayName
    }
    $RoleHash = @{ }
    $RoleList = Get-GraphUnifiedRole
    foreach ($Role in $RoleList) {
        $RoleHash[$Role.id] = $Role.displayName
    }
    $LocationHash = @{ }
    $LocationList = Get-GraphLocation | Select-Object -ExpandProperty value
    foreach ($Location in $LocationList) {
        $LocationHash[$Location.id] = @{
            displayName = $Location.displayName
            ipRanges    = $Location.ipRanges.cidrAddress
            isTrusted   = $Location.isTrusted
        }
    }
    Get-ConditionalAccessPolicyData | Select-Object @(
        'DisplayName'
        'State'
        @{
            Name       = 'UserRiskLevels'
            Expression = { @($_.Conditions.UserRiskLevels) -ne '' -join "`r`n" }
        }
        @{
            Name       = 'SignInRiskLevels'
            Expression = { @($_.Conditions.SignInRiskLevels) -ne '' -join "`r`n" }
        }
        @{
            Name       = 'ClientAppTypes'
            Expression = { @($_.Conditions.ClientAppTypes) -ne '' -join "`r`n" }
        }
        @{
            Name       = 'includeLocations'
            Expression = { @($_.Conditions.locations.includeLocations.foreach{
                        if ($LocationHash.ContainsKey($_)) {
                            if ($LocationHash[$_]['isTrusted']) { $isTrusted = 'isTrusted:True' } else { $isTrusted = 'isTrusted:False' }
                            $LocName = $LocationHash[$_]['displayName']
                            ($LocationHash[$_]['ipRanges']).foreach{
                                '{0} ({1}) {2}' -f $_, $LocName, $isTrusted
                            }
                        }
                        else { $_ } }) -ne '' -join "`r`n"
            }
        }
        @{
            Name       = 'excludeLocations'
            Expression = { @($_.Conditions.locations.excludeLocations.foreach{
                        if ($LocationHash.ContainsKey($_)) {
                            if ($LocationHash[$_]['isTrusted']) { $isTrusted = 'isTrusted:True' } else { $isTrusted = 'isTrusted:False' }
                            $LocName = $LocationHash[$_]['displayName']
                            ($LocationHash[$_]['ipRanges']).foreach{
                                '{0} ({1}) {2}' -f $_, $LocName, $isTrusted
                            }
                        }
                        else { $_ } }) -ne '' -join "`r`n"
            }
        }
        @{
            Name       = 'includeDeviceStates'
            Expression = { @($_.Conditions.devices.includeDeviceStates) -ne '' -join "`r`n" }
        }
        @{
            Name       = 'excludeDeviceStates'
            Expression = { @($_.Conditions.devices.excludeDeviceStates) -ne '' -join "`r`n" }
        }
        @{
            Name       = 'includeApplications'
            Expression = { @($_.Conditions.applications.includeApplications.foreach{
                        if ($SPHash.ContainsKey($_)) { $SPHash[$_] } else { $_ } }) -ne '' -join "`r`n" }
        }
        @{
            Name       = 'excludeApplications'
            Expression = { @($_.Conditions.applications.excludeApplications.foreach{
                        if ($SPHash.ContainsKey($_)) { $SPHash[$_] } else { $_ } }) -ne '' -join "`r`n" }
        }
        @{
            Name       = 'includeUserActions'
            Expression = { @($_.Conditions.applications.includeUserActions) -ne '' -join "`r`n" }
        }
        @{
            Name       = 'includeUsers'
            Expression = { @($_.Conditions.users.includeUsers.foreach{
                        try { (Get-GraphUser -UserId $_).displayName }
                        catch { } }) -ne '' -join "`r`n" }
        }
        @{
            Name       = 'excludeUsers'
            Expression = { @($_.Conditions.users.excludeUsers.foreach{
                        try { (Get-GraphUser -UserId $_).displayName }
                        catch { } }) -ne '' -join "`r`n" }
        }
        @{
            Name       = 'includeGroups'
            Expression = { @($_.Conditions.users.includeGroups.foreach{
                        try { (Get-GraphGroup -UserId $_).displayName }
                        catch { } }) -ne '' -join "`r`n" }
        }
        @{
            Name       = 'excludeGroups'
            Expression = { @($_.Conditions.users.excludeGroups.foreach{
                        try { (Get-GraphGroup -UserId $_).displayName }
                        catch { } }) -ne '' -join "`r`n" }
        }
        @{
            Name       = 'includeRoles'
            Expression = { @($_.Conditions.users.includeRoles.foreach{
                        if ($RoleHash.ContainsKey($_)) { $RoleHash[$_] } }) -ne '' -join "`r`n" }
        }
        @{
            Name       = 'excludeRoles'
            Expression = { @($_.Conditions.users.excludeRoles.foreach{
                        if ($RoleHash.ContainsKey($_)) { $RoleHash[$_] } }) -ne '' -join "`r`n" }
        }
        @{
            Name       = 'includePlatforms'
            Expression = { @($_.Conditions.platforms.includePlatforms) -ne '' -join "`r`n" }
        }
        @{
            Name       = 'excludePlatforms'
            Expression = { @($_.Conditions.platforms.excludePlatforms) -ne '' -join "`r`n" }
        }
        @{
            Name       = 'operator'
            Expression = { @($_.Grantcontrols.operator) -ne '' -join "`r`n" }
        }
        @{
            Name       = 'builtInControls'
            Expression = { @($_.Grantcontrols.builtInControls) -ne '' -join "`r`n" }
        }
        @{
            Name       = 'persistentBrowser'
            Expression = { @($_.sessioncontrols.persistentBrowser).foreach{ if ($_.isEnabled) { 'mode:{0} persistent isEnabled:{1}' -f $_.mode, $_.isEnabled } } }
        }
        @{
            Name       = 'signInFrequency'
            Expression = { @($_.sessioncontrols.signInFrequency).foreach{ if ($_.isEnabled) { '{0} {1} isEnabled:{2}' -f $_.value, $_.type, $_.isEnabled } } }
        }
        @{
            Name       = 'cloudAppSecurity'
            Expression = { @($_.sessioncontrols.cloudAppSecurity).foreach{ if ($_.isEnabled) { 'cloudAppSecurityType:{0} isEnabled:{1}' -f $_.cloudAppSecurityType, $_.isEnabled } } }
        }
        @{
            Name       = 'applicationEnforcedRestrictions'
            Expression = { @($_.sessioncontrols.applicationEnforcedRestrictions) -ne '' -join "`r`n" }
        }
    )
}