Comments on: Performing a Conditional Access Assessment with PowerShell

By:

Hemanth

The Real Person!

Author Hemanth acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.

Hemanth — Fri, 09 Aug 2024 00:12:55 +0000

Hi Sean,
Thank you for the script.
Is there way to get the below info-
All sign-ins (interactive, non-interactive, all, etc), whether or not they would’ve failed for a particular CA on Report-Only.
– This is marked via “Report-Only; Failure”.
– Need a two week to one month snapshot of all of these failures to review:
– – Who failed?
– – What failed (product, sign-in, etc)?
– – Origin IP

Your help is appreciated.

By: John

John — Wed, 30 Nov 2022 23:47:55 +0000

Security has a problem granting group.read.all scope because with application permission type this can allow reading of all group conversations. Would the script work with just groupmember.read.all scope instead ?

By: Leandro

Leandro — Thu, 29 Sep 2022 16:50:30 +0000

It worked perfectly here. Congratulations.
it is possible to see if a policy is not accessed in X days or months?

By: Tom

Tom — Wed, 27 Jul 2022 02:01:47 +0000

Hi Sean,
Thanks for sharing the scripts. I’ve been battling the Insights and Reporting for my report only CA’s.
Am I correct in saying that if a report-only CA is applied to a group, then the results for it’s application to a user in the group isn’t reflected correctly?
I’m noticing that for enabled CA’s for a group are applying correctly to users; but my Report-Only ones are not, which is making it hard to judge what the impact would be prior to enablement.
The same behaviour appears to be occurring with the ‘What If’ tool.

By: Casper

Casper — Tue, 21 Jun 2022 10:50:10 +0000

Gotcha – makes sense. Thanks 🙂

By: Sean McAvinue

Sean McAvinue — Mon, 20 Jun 2022 19:34:48 +0000

In reply to Casper. Graph API (including the new Graph SDK) module all require an app registration to he created. The permissions granted to the app are limited to "read" permissions so beyond creating and consenting to the app reg there's really no need to have anything more than Global Reader. You could always modify it to use the Azure AD module but Graph is definitely the way forward for automation in Azure AD / O365, particularly if you want to future proof your code.

By: Casper

Casper — Mon, 20 Jun 2022 18:27:55 +0000

Any chance the script can be built to run from the current user context if the needed permissions are in place? As external consultant doing Azure AD security reviews we are only provided a Global Reader permission, and usually not allowed to install or register any apps or service principals.

By: Sean McAvinue

Sean McAvinue — Mon, 20 Jun 2022 14:33:24 +0000

In reply to craig ohler. Good spot Craig! I'll update the code. Thanks!

By: craig ohler

craig ohler — Mon, 20 Jun 2022 14:30:40 +0000

Hi Sean, Very nice script. I definitely intend to “borrow” some of the graph API functions as I’ve been struggling with that.

I found one typo in your script that’s causing it to misreport the included locations. You just have it spelled as “includLocation” missing an e in a few places. Search/replace should fix it.

Thanks and keep up the great work.

Comments on: Performing a Conditional Access Assessment with PowerShell

By: Hemanth The Real Person! Author Hemanth acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.

By: John

By: Leandro

By: Tom

By: Casper

By: Sean McAvinue

By: Casper

By: Sean McAvinue

By: craig ohler

By:

Hemanth

The Real Person!

Author Hemanth acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.