This repository contains a simple script that can help you deploy a good baseline of Conditional Access Policies to your Azure AD tenant. The following conditional access policies will be created, which should keep you covered in most circumstances:
- All apps - Block legacy authentication
- All apps - Require MFA for all guests
- All apps - Require MFA for all users assigned Azure AD roles
- All apps - Require MFA or compliant device for all users
- Azure management - Require MFA for all users
- Microsoft 365 - Enable session controls for all users
- Microsoft 365 - Require approved app for all users
- User action - Block register security info for all users when not in acceptable location
- User action - Require MFA for all users when registering device
- PowerShell 7
- Microsoft.Graph - will be installed automatically
- A named location is created in Azure AD, named Allowed to register security info, used to determine which countries are acceptable for users to be located in when self service registering SSPR or MFA
- Download or clone this repository to a computer with PowerShell 7
- Start pwsh.exe (or similar for Mac and Linux)
- Navigate to the folder where you downloaded this repository and run Deploy.ps1 with the following parameters
| Parameter | Required? | Type | Description |
|---|---|---|---|
| Tenant | Yes | String | The x.onmicrosoft.com tenant name of the tenant where you want to deploy the CA policies |
| ExemptedAccounts | Yes | String array | A list of users (upns or objectids) that will be exempted from policies blocking or requiring MFA or other grant |
| NamedLocationsForSecurityRegistration | No | String | The names of the named locations approved for registering security information |
| DeleteUnknownPolicies | No | Boolean | Set to true in order to automatically delete policies not convered by this deployment script |
The script supports the -WhatIf parameter, if you want to "pretend" to run the script first, to see what it will do.
.\Deploy.ps1 -Tenant "M365x843525.onmicrosoft.com" -ExemptedAccounts "AdeleV@M365x843525.OnMicrosoft.com","Admin@M365x843525.OnMicrosoft.com" -DeleteUnknownPolicies:$true -NamedLocationsForSecurityRegistration "Norway","Sweden","Denmark".\Deploy.ps1 -Tenant "M365x843525.onmicrosoft.com" -ExemptedAccounts "AdeleV@M365x843525.OnMicrosoft.com","Admin@M365x843525.OnMicrosoft.com" -Verbose -WhatIf