Skip to content

Deployment of Zero Trust, persona-based Azure AD Conditional Access Policies via Microsoft Graph, utilizing PowerShell.

License

Notifications You must be signed in to change notification settings

dwarfered/conditional-access-for-zero-trust

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

73 Commits
 
 
 
 
 
 
 
 

Repository files navigation

Conditional Access for Zero Trust

Deployment of Zero Trust, persona-based Azure AD Conditional Access Policies via Microsoft Graph, utilizing PowerShell.

Based upon the excellent Microsoft Learn: Conditional Access architecture and personas and Framework and policies pages authored by Claus Jespersen.

Prerequisite

PowerShell SDK for Microsoft Graph

Install-Module Microsoft.Graph -AllowClobber -Force

Optionally, also install:

Install-Module Microsoft.Graph.Beta -AllowClobber -Force

Conditional Access Policies as code deployed via the PowerShell SDK for Microsoft Graph.

Policies

Policies can be deployed in any order and will be 'Off' by default.

Persona groups will be created if they do not already exist.

This collection is a work in progress.

Internals

CA200-Internals-BaseProtection-AllApps-AnyPlatform-CompliantorAADHJ

Internals require a Compliant or Domain-Joined Device.

CA201-Internals-IdentityProtection-AllApps-AnyPlatform-CombinedRegistration

Internals performing Security registration (ie. MFA enrollment) require a Compliant or Domain-Joined Device.

CA202-Internals-IdentityProtection-AllApps-AnyPlatform-MFAandPWDforHighUserRisk

Internals with High User Risk must perform MFA and change their password.

CA203-Internals-IdentityProtection-AllApps-AnyPlatform-MFAforHighSignInRisk

Internals with High Sign-In Risk must perform MFA.

CA204-Internals-IdentityProtection-AllApps-AnyPlatform-BlockLegacyAuth

Internals are blocked from Legacy Authentication methods.

CA205-Internals-AppProtection-MicrosoftIntuneEnrollment-AnyPlatform-MFA

Internals must perform MFA to enroll a device.

CA206-Internals-DataandAppProtection-Office365-iOSorAndroid-ClientAppORAPP

Internals accessing Office 365 from iOS or Android must use an Approved App or an App Protection Policy.

CA207-Internals-AttackSurfaceReduction-AllApps-AnyPlatform-BlockUnknownPlatforms

Internals on unknown platforms are blocked.

Guests

CA400-Guests-BaseProtection-AllApps-AnyPlatform-MFA

Guests must perform MFA.

CA402-Guests-IdentityProtection-AllApps-AnyPlatform-MFAforMediumandHighUserandSignInRisk

Guests with Medium or High Risk must always perform MFA.

CA403-Guests-IdentityProtection-AllApps-AnyPlatform-BlockLegacyAuth

Guests are blocked from Legacy Authentication methods.

CA406-Guests-DataProtection-AllApps-AnyPlatform-SignInSessionPolicy

Guests have a limited Sign-In Session.

Workload Identities

CA900-WorkloadIdentities-BaseProtection-AllApps-AnyPlatform-BlockUntrustedLocations

Workload Identities in untrusted locations are blocked.

CA901-WorkloadIdentities-BaseProtection-AllApps-AnyPlatform-BlockHighRisk

Workload Identities with High Risk are blocked.

About

Deployment of Zero Trust, persona-based Azure AD Conditional Access Policies via Microsoft Graph, utilizing PowerShell.

Topics

Resources

License

Stars

Watchers

Forks