Conditional Access is a very helpful tool when it comes to limit access based on a given set of rules. However the experience using the Azure Portal is rather time consuming.

A quicker ways is to use Microsoft Graph API to get your policies up and running. Since all CAP API’s are currently in Beta, this means it is not supported to use them in a production environment.

Let´s say that we want to create a policy which requires MFA to access Exchange Online. First, you need these permissions in the Graph API Explorer: Policy.ReadWrite.ConditionalAccess and Application.Read.All

Here´s the JSON request creating the policy requiring MFA for all connections to Exchange Online except from locations marked as “Trusted Locations” (Usually these are used for your Public IP CIDR Ranges.

POST https://graph.microsoft.com/beta/conditionalAccess/policies
Content-type: application/json

{
    "displayName": "Access to EXO requires MFA",
    "state": "enabled",
    "conditions": {
        "clientAppTypes": [
            "modern",
            "browser"
        ],
        "applications": {
            "includeApplications": [
                "00000002-0000-0ff1-ce00-000000000000"
            ]
        },
        "users": {
            "includeUsers":[
               "All"
        },
        "locations": {
            "includeLocations": [
                "All"
            ],
            "excludeLocations": [
                "AllTrusted"
            ]
        }
    },
    "grantControls": {
        "operator": "OR",
        "builtInControls": [
            "mfa"
        ]
    }
}

In a matter of minutes, a brand new policy will be created in your tenant. With the response of: 

HTTP/1.1 201 Created

If you want to check your recently created policy to make sure that your settings are enforced, you can of course utilize the API for this aswell:

GET https://graph.microsoft.com/beta/conditionalAccess/policies/{id}

Where {id} is the id of your newly created policy. This is can be obtained by running:

GET https://graph.microsoft.com/beta/conditionalAccess/policies/

A tip is setting the state to “Report-Only” thus negating any negative impact on your users, i.e locking your Global Administrator out of your tenant.

And without further ado, that´s pretty much it. Now you´ve learned to create a Conditional Access Policy using Graph API, there´s no stopping you from applying this (except for the caveat above about not being supported in production). Using Graph together with GUI/Powershell helps you to manage your environment in a modern way.

On By Viktor Hedberg

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.