Creating Entra Conditional Access Policies using Powershell – Intune Compliant Devices

In today’s exciting post, I’m going to create a Conditional Access policy in Entra ID to restrict cloud apps to only Intune compliant devices, using my favourite scripting language, Powershell (and we all know how much I love a good script!)

As usual, the script can be found on my ever-growing GitHub here

I’ll be using the Azure AD Preview Module for this script so let’s start by installing it:

#Install AZ Module if not available
if (Get-Module -ListAvailable -Name AzureADPreview) {
    Write-Host "AZ Ad Preview Module Already Installed"
} 
else {
    try {
        Install-Module -Name AzureADPreview -Scope CurrentUser -Repository PSGallery -Force -AllowClobber 
    }
    catch [Exception] {
        $_.message 
        exit
    }
}

Before importing it, always best to make sure the non-preview isn’t running or it tends to win:

# Unload the AzureAD module (or continue if it's already unloaded)
Remove-Module AzureAD -ErrorAction SilentlyContinue
# Load the AzureADPreview module
Import-Module AzureADPreview

And connect to Azure AD:

Connect-AzureAD

For this policy I’m adding an exclusion on the Azure AD Joined Device Local Administrators role just so there is a back-door should I mess up a compliance policy and lock everyone out (including from the Azure portal).

So, we need to grab the role ID:

#Get PIM role
$PIMrole =Get-AzureADMSPrivilegedRoleDefinition -ProviderId aadRoles -ResourceId $tenantid | where-object DisplayName -eq "Azure AD Joined Device Local Administrator"

Now we have to use MS Graph to configure the settings, starting with base conditions:

$conditions = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessConditionSet

Set the applications (in this case, all cloud apps)

$conditions.Applications = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessApplicationCondition
$conditions.Applications.IncludeApplications = "All"

We want all users except the role mentioned:

$conditions.Users = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessUserCondition
$conditions.Users.IncludeUsers = "All"
$conditions.Users.ExcludeRoles = $Pimrole.id

We also want to add the client apps, again, I’m adding them all

$conditions.ClientAppTypes = "All"

Clearly we’re also going to need Grant controls so the policy goes in first:

$controls = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessGrantControls

Then I’m setting it to only allow Compliant Devices

$controls._Operator = "OR"
##Require device compliance
$controls.BuiltInControls = "CompliantDevice"

It’s going to need a name

$name = "Conditional Access - Block NonCompliant Devices"

For safety, I prefer to deploy Disabled and then manually enable (or put into reporting mode). It depends how brave you are feeling:

$state = "Disabled"

Finally, put it all together and create the policy:

New-AzureADMSConditionalAccessPolicy `
    -DisplayName $name `
    -State $state `
    -Conditions $conditions `
    -GrantControls $controls

Hopefully this gives an idea of how it is all put together so you can amend to create different policies in the same way.

Leave a Comment