努力创建 PowerShell 脚本来部署条件访问策略以阻止旧式身份验证

Struggling to create a PowerShell script to deploy a conditional access policy to block legacy authentication

提问人:Achref Buster 提问时间:11/6/2023 更新时间:11/6/2023 访问量:72

问:

这是我在这里的第一篇文章,我真的希望有人能和我一起解决这个问题。 正如您可能在帖子标题中看到的那样,我正在尝试创建一个 PowerShell 脚本,该脚本将部署 conditionla 访问策略以阻止旧式身份验证,但我无法弄清楚。 有人可以查看我的 caode 并告诉我为什么它不起作用吗?它错误在

$conditions.ClientAppTypes = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessClientApp
$conditions.ClientAppTypes = @(“ExchangeActiveSync”, “Other”)

主要代码:

$conditions = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessConditionSet

$conditions.Applications = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessApplicationCondition
$conditions.Applications.IncludeApplications = "All"
$conditions.Applications.ExcludeApplications = @(
    ""
    ""#applications
)
$conditions.Users = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessUserCondition
$conditions.Users.IncludeUsers = "All"
$conditions.Users.ExcludeUsers = @(
    "" #Admin user ID
    "GuestsOrExternalUsers"
    )
$conditions.Users.ExcludeGroups = "" #Admin group ID
$conditions.Users.ExcludeRoles = @(
 #   "" 
  #  ""
   # )

$conditions.Users = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessClientApp
$conditions.ClientAppTypes = @(“ExchangeActiveSync”, “Other”)



$controls = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessGrantControls
$controls._Operator = "OR"
$controls.BuiltInControls = "block"

New-AzureADMSConditionalAccessPolicy -DisplayName "Block Legacy Authentication" -State "Disabled" -Conditions $conditions -GrantControls $controls
PowerShell 安全性 azure-active-directory microsoft-graph-api microsoft-entra-id

评论

答:

0赞 Rukmini 11/6/2023 #1

若要创建阻止旧式身份验证条件策略,可以使用以下 PowerShell 脚本:

Connect-MgGraph -Scopes "Policy.Read.All",  
"Policy.ReadWrite.ConditionalAccess", 
"Application.Read.All"

$conditions = @{ 
Applications = @{   
includeApplications = 'All' 
};
Users = @{ 
includeUsers = 'All' 
};
ClientAppTypes = @( 
'ExchangeActiveSync',
'Other'
);   
}  
  
$grantcontrols = @{ 
BuiltInControls = @('Block'); 
Operator = 'OR' 
}

$name = "Block Legacy Authentication All Apps"  
$state = "Disabled"  
  
New-MgIdentityConditionalAccessPolicy `  
-DisplayName $name  
-State $state   
-Conditions $conditions  
-GrantControls $grantcontrols

enter image description here

条件访问策略已成功创建:

enter image description here

若要启用该策略,请将该行修改为 $state = “Enabled”。

评论

1赞 Achref Buster 11/7/2023
非常感谢您的帮助!这是一种更简单的方法。

上一个:nodejs 中 config.json 文件中的安全凭据

下一个:具有权限的 JWT