Automating Conditional Access using Graph API

As part of the new annoucements from Microsoft Ignite, Microsoft now launched the ability to create Conditional Access Policies using the Graph API which is now available under the beta API.

The simplest way to get started with the Graph API is using the Graph Explorer https://developer.microsoft.com/en-us/graph/graph-explorer# in sign-in with a user account which has global admin access to a tenant where you have Conditional Access licenses as part of P1 or P2. Write operations for the conditional access policies and named locations APIs require two permissions: Policy.ReadWrite.ConditionalAccess and Directory.AccessAsUser.All. Generally, the least privileged permission, Policy.ReadWrite.ConditionalAccess, should be sufficient. At this time, you should acquire a token with both of these permissions.

Now you can get a list of your current Policies by querying the following REST URI, note that this API call will not list Baseline policies and if they are active or not. Also if you have policies in “Report Only” mode they will not appear in the REST API as well since that is a new feature. 

https://graph.microsoft.com/beta/ConditionalAccess/Policies

This is an example of a Conditional Access Policy, which essentially blocks external guest users from the logging in.

{
 "@odata.context": "https://graph.microsoft.com/beta/$metadata#conditionalAccess/policies",
 "value": [
 {
 "id": "xxxxxxxxx-xxxxx-xxxxx",
 "displayName": "ca_block_guests,
 "createdDateTime": null,
 "modifiedDateTime": null,
 "state": "enabled",
 "sessionControls": null,
 "conditions": {
 "signInRiskLevels": [],
 "clientAppTypes": [],
 "platforms": null,
 "locations": null,
 "deviceStates": null,
 "applications": {
 "includeApplications": [
 "All"
 ],
 "excludeApplications": [],
 "includeUserActions": []
 },
 "users": {
 "includeUsers": [
 "GuestsOrExternalUsers"
 ],
 "excludeUsers": [],
 "includeGroups": [],
 "excludeGroups": [],
 "includeRoles": [],
 "excludeRoles": []
 }
 },
 "grantControls": {
 "operator": "OR",
 "builtInControls": [
 "block"
 ],
 "customAuthenticationFactors": [],
 "termsOfUse": []
 }
 }
 ]
}

When you want to create a conditional access policy using REST API You need to have the following headers.

POST https://graph.microsoft.com/beta/conditionalAccess/policies 
Content-type: application/json

A Policy is built up of the following constructs and sections. This is just to give an indication of the sections what what the template is built up of.

{
 "displayName": 
 "state": "enabled",
 "conditions": {
 "signInRiskLevels[]
 "clientAppTypes": []
 "applications": {}
 "includeApplications":[]
 "excludeApplications":[]
 "includeUserActions":[]
 "users": {}
 "includeUsers":[]
 "excludeUsers":[]
 "includeGroups":[]
 "excludeGroups":[]
 "includeRoles":[]
 "exludeUsers":[]
 "platforms": {}
 "includePlatforms": []
 "excludePlatforms": []
 "locations": {}
 "includeLocations": []
 "excludeLocations": []
 "deviceStates": {
 "includeStates": []
 "excludeStates": []
 },
 "grantControls": {
 "operator": "OR",
 "builtInControls": [
 "mfa",
 "compliantDevice",
 "domainJoinedDevice",
 "approvedApplication",
 "compliantApplication"
 "sessionControls": {
 "applicationEnforcedRestrictions": null,
 "persistentBrowser": null,
 "cloudAppSecurity": {
 "cloudAppSecurityType": "blockDownloads",
 "isEnabled": true
 },
 "signInFrequency": {
 "value": 4,
 "type": "hours",
 "isEnabled": true
}
 }

So using this API you can essentially automate the different policies.As an example of creating a policy which enforces MFA on all Global Administrators. NOTE: Since you need to add a role ID (You can find a list of the role ID here –> https://github.com/Azure/azure-docs-powershell-azuread/blob/master/azureadps-2.0/AzureAD/Get-AzureADDirectoryRoleTemplate.md 

This is an example of setting up MFA enforcement for Global Administators in non-active mode

{
 "displayName": "require_mfa",
 "state": "disabled",
 "conditions": {
 "applications": {
 "includeApplications": [
 "All"
 ]
 },
 "users": {
 "includeRoles": [
 "62e90394-69f5-4237-9190-012177145e10"
 ]
 }
 },
 "grantControls": {
 "operator": "OR",
 "builtInControls": [
 "mfa"
 ]
 }
}

If I want to make updates to a Policy I can just use the Patch Command to update the policy by pointing to the correct URI in my example https://graph.microsoft.com/beta/ConditionalAccess/Policies/15cc7c0f-175f-48d7-89a2-28cca46fe706

And just define the section I need to update such as updating the conditions or the state to be enabled instead.

{ "conditions": { "signInRiskLevels": [ "high", "medium", "low", ] } }

So this allows us to automate even further the setup for user tenants and security flows, and scale to multiple providers with ease.

 

 

Leave a Reply

Scroll to Top