Configuring Conditional Access Policies with Microsoft Entra ID

Updated: March 12, 2026 | 0 comments | Tags: , , ,

Conditional Access is the cornerstone of Zero Trust security in Microsoft Entra ID. Rather than managing dozens of policies by hand through the Azure portal, you can use PowerShell and the Microsoft Graph API to define, deploy, and version-control your policies with confidence.

Prerequisites

You will need the Microsoft.Graph PowerShell module and an app registration with Policy.ReadWrite.ConditionalAccess and Policy.Read.All delegated permissions.

Connect-MgGraph -Scopes "Policy.ReadWrite.ConditionalAccess","Policy.Read.All"

Reading Existing Policies

Before making changes, export all existing policies so you have a rollback baseline.

$policies = Get-MgIdentityConditionalAccessPolicy
$policies | Select-Object DisplayName, State, Id | Format-Table -AutoSize

# Export to JSON for source control
$policies | ConvertTo-Json -Depth 10 | Out-File "CA-Baseline-$(Get-Date -Format 'yyyyMMdd').json"

Creating a Require MFA Policy

The following example creates a policy that requires MFA for all users except break-glass emergency accounts, targeting all cloud applications.

$breakGlassGroupId = "your-break-glass-group-id"

$body = @{
    displayName = "Require MFA - All Users"
    state = "enabledForReportingButNotEnforced"
    conditions = @{
        users = @{
            includeUsers = @("All")
            excludeGroups = @($breakGlassGroupId)
        }
        applications = @{ includeApplications = @("All") }
    }
    grantControls = @{
        operator = "OR"
        builtInControls = @("mfa")
    }
}
New-MgIdentityConditionalAccessPolicy -BodyParameter $body

Enabling a Policy Safely

Always deploy new policies in report-only mode first, review the sign-in logs, and only switch to enabled once you are satisfied.

$policyId = "your-policy-id"
Update-MgIdentityConditionalAccessPolicy -ConditionalAccessPolicyId $policyId `
    -State "enabled"

Summary

Managing Conditional Access through PowerShell enables consistent, auditable policy deployment across all your Entra ID tenants. Combining this with a GitHub Actions pipeline means every policy change goes through code review before it reaches production — dramatically reducing the risk of accidental lockouts or security gaps.

Submit a Comment

Your email address will not be published. Required fields are marked *