Conditional Access is one of the available tools used by Azure Active Directory to bring different signals together. Based on different signals it is possible to create decisions like; block access, remediate risk, allow full access and many more situation. 

In multiple situations it is useful to require actions like multi-factor authentication before a user can access a resource. For example:  A payroll manager wants to access the payroll application and is required to perform multi-factor authentication to access it.

By using Conditional Access policies, you can apply the right access controls when needed to keep your organization secure and stay out of your user’s way when not needed.


Requirements

Using the Conditional Access feature required an Azure AD Premium P1 license. For the sign-in risk signal access to Identity Protection is required.

In this blog a short overview of the option to export Conditional Access configurations based on the Microsoft Graph API and export all the Conditional Access Policies.

API

For the API to retrieve a list of conditionalAccessPolicy objects the following permissions are required:

Permission type Permissions (from least to most privileged)
Delegated (work or school account) Policy.Read.All
Delegated (personal Microsoft account) Not supported.
Application Policy.Read.All

 

HTTP request

GET /identity/conditionalAccess/policies

More information and request details: Source Microsoft

Query

Now go to: Developer.microsoft.com and sign-in with user credentials. After the sign-in it is important to consent the permissions. For the consent action; click on modify permissions and click on consent:

 


The result

The Microsoft Graph Explorer is a good tool for analyzing and testing API requests.

{
“id”: “xxxxxxxxxxxxxxxxxxxxxx”,
“displayName”: “V2.0 – BLOCK – Legacy Authentication”,
“createdDateTime”: “2020-10-16T22:00:29.9591207Z”,
“modifiedDateTime”: null,
“state”: “enabledForReportingButNotEnforced”,
“sessionControls”: null,
“conditions”: {
“signInRiskLevels”: [],
“clientAppTypes”: [
“exchangeActiveSync”,
“other”
],
“platforms”: null,
“locations”: null,
“applications”: {
“includeApplications”: [
“All”
],
“excludeApplications”: [],
“includeUserActions”: []
},
“users”: {
“includeUsers”: [
“All”
],
“excludeUsers”: [],
“includeGroups”: [],
“excludeGroups”: [],
“includeRoles”: [],
“excludeRoles”: []
}
},
“grantControls”: {
“operator”: “OR”,
“builtInControls”: [
“block”
],
“customAuthenticationFactors”: [],
“termsOfUse”: []
}
}

Next steps

The API makes it possible to use the Graph for different situation. Microsoft showed some samples what you can do with API and scripts related to Conditional Access: Examples are; Deploy from a standard set, monitor policy changes, backup CA rules and import. More information on techcommunity  and GitHub