How to Deploy Conditional Access Templates with Graph PowerShell

Conditional Access templates are a great way to quickly deploy best practice settings to your environments. They can also help you simplify your processes and reduce your workload when deploying Conditional Access policies using PowerShell. 

In this tutorial, I will show you how to deploy Conditional Access policies from templates using Microsoft Graph PowerShell.

For a complete guide on deploying custom Conditional Access Policies using Microsoft Graph PowerShell, check out my tutorial: How to Create Conditional Access Policies with Microsoft Graph PowerShell

What are Conditional Access Templates?

Conditional Access templates are pre-defined Conditional Access policies which contain common and best practice conditions and controls to enable you to quickly and easily deploy Microsoft-recommended security in your tenant. The templates are broken down into 5 categories, all of which are detailed below:

  • Secure foundation
  • Zero Trust
  • Remote Work
  • Protect Administrator
  • Emerging threats

Here is a list of all available Conditional Access templates:

  • Require multifactor authentication for admins: secureFoundation, zeroTrust, protectAdmins
  • Securing security info registration: secureFoundation, zeroTrust, remoteWork
  • Block legacy authentication: secureFoundation, zeroTrust, remoteWork, protectAdmins
  • Require multifactor authentication for all users: secureFoundation, zeroTrust, remoteWork
  • Require multifactor authentication for guest access: zeroTrust, remoteWork
  • Require multifactor authentication for Azure management: secureFoundation, zeroTrust, protectAdmins
  • Require multifactor authentication for risky sign-ins: zeroTrust, remoteWork
  • Require password change for high-risk users: zeroTrust, remoteWork
  • Require compliant or hybrid Azure AD joined device for admins: remoteWork, protectAdmins
  • Block access for unknown or unsupported device platform: zeroTrust, remoteWork
  • No persistent browser session: zeroTrust, remoteWork
  • Require approved client apps or app protection policies: zeroTrust, remoteWork
  • Require compliant or hybrid Azure AD joined device or multifactor authentication for all users: secureFoundation, zeroTrust
  • Use application enforced restrictions for O365 apps: remoteWork
  • Require phishing-resistant multifactor authentication for admins: protectAdmins, emergingThreats
  • Require multifactor authentication for Microsoft admin portals (Preview): zeroTrust, protectAdmins

Pre-requisites and permissions

To create Conditional Access policies from templates using PowerShell we need to ensure we have the following:

1. Both the Microsoft Graph current and Microsoft Graph Beta modules need to be installed. Follow my tutorial here for detailed steps on installing the modules: https://ourcloudnetwork.com/how-to-install-the-microsoft-graph-powershell-sdk/

2. You will need to consent to the following permission using a Global Administrator account in your tenant: Policy.Read.All and Policy.ReadWrite.ConditionalAccess.

Deploy Conditional Access templates using Microsoft Graph PowerShell

Te deploy Conditional Access policies in Microsoft Entra from a template using Microsoft Graph PowerShell, you first need to connect to your environment with the required permissions detailed above:

Connect-MgGraph -scope Policy.Read.All, Policy.ReadWrite.ConditionalAccess

Once you have connected, you can use the Get-MgBetaIdentityConditionalAccessTemplate cmdlet to identify which template you wish to use based of the description:

Get-MgBetaIdentityConditionalAccessTemplate 

Your output will look like the below:

Get-MgBetaIdentityConditionalAccessTemplate results
Get-MgBetaIdentityConditionalAccessTemplate results

If this does not give you enough detailed information, the next best place to look is at the templates in the Microsoft Entra admin portal. Follow the below steps to analyse the templates from the portal:

  1. Log in to Microsoft Entra
  2. Expand Protection and select Conditional Access
  3. Click Create new policy from templates
  4. Evaluate the policy setting in each template by clicking View
Conditional Access templates
Conditional Access templates

Once you have determined the correct policy, find the ID of the policy using Get-MgBetaIdentityConditionalAccessTemplate again, then save that policy to a variable as follows:

$catemplate = Get-MgBetaIdentityConditionalAccessTemplate `
-ConditionalAccessTemplateId c7503427-338e-4c5e-902d-abe252abfb43

To create your policy with this variable, use the New-MgIdentityConditionalAccessPolicy cmdlet. The following command will create a new policy using the template we specified above and ensure the policy is created in Report-only mode:

New-MgIdentityConditionalAccessPolicy `
-TemplateId $catemplate.Id `
-DisplayName $catemplate.Name `
-State enabledForReportingButNotEnforced

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

Leave a Reply