Test-MgIdentityConditionalAccess
Evaluates the applicability of Conditional Access Policies in your tenant based on the provided sign-in properties.
Note
To view the beta release of this cmdlet, view Test-MgBetaIdentityConditionalAccess
Syntax
EvaluateExpanded (Default)
Test-MgIdentityConditionalAccess
[-ResponseHeadersVariable <string>]
[-AdditionalProperties <hashtable>]
[-AppliedPoliciesOnly]
[-SignInConditions <IMicrosoftGraphSignInConditions>]
[-SignInContext <hashtable>]
[-SignInIdentity <hashtable>]
[-Break]
[-Headers <IDictionary>]
[-HttpPipelineAppend <SendAsyncStep[]>]
[-HttpPipelinePrepend <SendAsyncStep[]>]
[-Proxy <uri>]
[-ProxyCredential <pscredential>]
[-ProxyUseDefaultCredentials]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
Evaluate
Test-MgIdentityConditionalAccess
-BodyParameter <IPathsDqhne3IdentityConditionalaccessMicrosoftGraphEvaluatePostRequestbodyContentApplicationJsonSchema>
[-ResponseHeadersVariable <string>]
[-Break]
[-Headers <IDictionary>]
[-HttpPipelineAppend <SendAsyncStep[]>]
[-HttpPipelinePrepend <SendAsyncStep[]>]
[-Proxy <uri>]
[-ProxyCredential <pscredential>]
[-ProxyUseDefaultCredentials]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
Description
Evaluates the applicability of Conditional Access Policies in your tenant based on the provided sign-in properties.
Permissions
| Permission type | Permissions (from least to most privileged) |
|---|---|
| Delegated (work or school account) | Policy.Read.ConditionalAccess, Policy.ReadWrite.ConditionalAccess, Policy.Read.All, |
| Delegated (personal Microsoft account) | Not supported |
| Application | Policy.Read.ConditionalAccess, Policy.ReadWrite.ConditionalAccess, Policy.Read.All, |
Examples
EXAMPLE 1
Import-Module Microsoft.Graph.Identity.SignIns
$params = @{ signInIdentity = @{ "@odata.type" = "#microsoft.graph.userSignIn" userId = "15dc174b-f34c-4588-ac45-61d6e05dce93" } signInContext = @{ "@odata.type" = "#microsoft.graph.applicationContext" includeApplications = @( "00000003-0000-0ff1-ce00-000000000000" ) } signInConditions = @{ devicePlatform = "android" clientAppType = "browser" signInRiskLevel = "high" userRiskLevel = "high" country = "US" ipAddress = "40.77.182.32" insiderRiskLevel = "elevated" authenticationFlow = @{ transferMethod = "deviceCodeFlow" } deviceInfo = @{ isCompliant = $true } } appliedPoliciesOnly = $true }
Test-MgIdentityConditionalAccess -BodyParameter $params
EXAMPLE 2
Import-Module Microsoft.Graph.Identity.SignIns
$params = @{ signInIdentity = @{ "@odata.type" = "#microsoft.graph.userSignIn" userId = "15dc174b-f34c-4588-ac45-61d6e05dce93" } signInContext = @{ "@odata.type" = "#microsoft.graph.authContext" authenticationContextValue = "c37" } signInConditions = @{ devicePlatform = "windows" clientAppType = "mobileAppsAndDesktopClients" signInRiskLevel = "medium" userRiskLevel = "none" country = "US" ipAddress = "40.77.182.32" insiderRiskLevel = "moderate" authenticationFlow = @{ transferMethod = "authenticationTransfer" } deviceInfo = @{ profileType = "Standard" } } appliedPoliciesOnly = $true }
Test-MgIdentityConditionalAccess -BodyParameter $params
EXAMPLE 3
Import-Module Microsoft.Graph.Identity.SignIns
$params = @{ signInIdentity = @{ "@odata.type" = "#microsoft.graph.userSignIn" userId = "15dc174b-f34c-4588-ac45-61d6e05dce93" } signInContext = @{ "@odata.type" = "#microsoft.graph.userActionContext" userAction = "registerSecurityInformation" } signInConditions = @{ devicePlatform = "macOS" clientAppType = "browser" signInRiskLevel = "low" userRiskLevel = "high" servicePrincipalRiskLevel = "none" country = "CA" ipAddress = "40.77.182.32" insiderRiskLevel = "minor" authenticationFlow = @{ transferMethod = "deviceCodeFlow" } deviceInfo = @{ trustType = "EntraID" } } appliedPoliciesOnly = $true }
Test-MgIdentityConditionalAccess -BodyParameter $params
EXAMPLE 4
Import-Module Microsoft.Graph.Identity.SignIns
$params = @{ signInIdentity = @{ "@odata.type" = "#microsoft.graph.servicePrincipalSignIn" servicePrincipalId = "c65b94a5-0049-439a-a6fd-bce307077730" } signInContext = @{ "@odata.type" = "#microsoft.graph.applicationContext" includeApplications = @( "00000003-0000-0ff1-ce00-000000000000" ) } signInConditions = @{ servicePrincipalRiskLevel = "high" country = "CA" ipAddress = "40.77.182.32" } appliedPoliciesOnly = $true }
Test-MgIdentityConditionalAccess -BodyParameter $params
Parameters
-AdditionalProperties
Additional Parameters
Parameter properties
| Type: | System.Collections.Hashtable |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
EvaluateExpanded
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-AppliedPoliciesOnly
Evaluates the applicability of Conditional Access Policies in your tenant based on the provided sign-in properties.
Permissions
| Permission type | Permissions (from least to most privileged) |
|---|---|
| Delegated (work or school account) | Policy.Read.ConditionalAccess, Policy.ReadWrite.ConditionalAccess, Policy.Read.All, |
| Delegated (personal Microsoft account) | Not supported |
| Application | Policy.Read.ConditionalAccess, Policy.ReadWrite.ConditionalAccess, Policy.Read.All, |
Parameter properties
| Type: | System.Management.Automation.SwitchParameter |
| Default value: | False |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
EvaluateExpanded
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-BodyParameter
To construct, see NOTES section for BODYPARAMETER properties and create a hash table.
Parameter properties
| Type: | Microsoft.Graph.PowerShell.Models.IPathsDqhne3IdentityConditionalaccessMicrosoftGraphEvaluatePostRequestbodyContentApplicationJsonSchema |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
Evaluate
| Position: | Named |
| Mandatory: | True |
| Value from pipeline: | True |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-Break
Wait for .NET debugger to attach
Parameter properties
| Type: | System.Management.Automation.SwitchParameter |
| Default value: | False |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-Confirm
Prompts you for confirmation before running the cmdlet.
Parameter properties
| Type: | System.Management.Automation.SwitchParameter |
| Supports wildcards: | False |
| DontShow: | False |
| Aliases: | cf |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-Headers
Optional headers that will be added to the request.
Parameter properties
| Type: | System.Collections.IDictionary |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | True |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-HttpPipelineAppend
SendAsync Pipeline Steps to be appended to the front of the pipeline
Parameter properties
| Type: | Microsoft.Graph.PowerShell.Runtime.SendAsyncStep[] |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-HttpPipelinePrepend
SendAsync Pipeline Steps to be prepended to the front of the pipeline
Parameter properties
| Type: | Microsoft.Graph.PowerShell.Runtime.SendAsyncStep[] |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-Proxy
The URI for the proxy server to use
Parameter properties
| Type: | System.Uri |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-ProxyCredential
Credentials for a proxy server to use for the remote call
Parameter properties
| Type: | System.Management.Automation.PSCredential |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-ProxyUseDefaultCredentials
Use the default credentials for the proxy
Parameter properties
| Type: | System.Management.Automation.SwitchParameter |
| Default value: | False |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-ResponseHeadersVariable
Optional Response Headers Variable.
Parameter properties
| Type: | System.String |
| Supports wildcards: | False |
| DontShow: | False |
| Aliases: | RHV |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-SignInConditions
signInConditions To construct, see NOTES section for SIGNINCONDITIONS properties and create a hash table.
Parameter properties
| Type: | Microsoft.Graph.PowerShell.Models.IMicrosoftGraphSignInConditions |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
EvaluateExpanded
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-SignInContext
signInContext
Parameter properties
| Type: | System.Collections.Hashtable |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
EvaluateExpanded
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-SignInIdentity
signInIdentity
Parameter properties
| Type: | System.Collections.Hashtable |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
EvaluateExpanded
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-WhatIf
Runs the command in a mode that only reports what would happen without performing the actions.
Parameter properties
| Type: | System.Management.Automation.SwitchParameter |
| Supports wildcards: | False |
| DontShow: | False |
| Aliases: | wi |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
Inputs
Microsoft.Graph.PowerShell.Models.IPathsDqhne3IdentityConditionalaccessMicrosoftGraphEvaluatePostRequestbodyContentApplicationJsonSchema
{{ Fill in the Description }}
System.Collections.IDictionary
{{ Fill in the Description }}
Outputs
Microsoft.Graph.PowerShell.Models.IMicrosoftGraphWhatIfAnalysisResult
{{ Fill in the Description }}
Notes
COMPLEX PARAMETER PROPERTIES
To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables.
BODYPARAMETER <IPathsDqhne3IdentityConditionalaccessMicrosoftGraphEvaluatePostRequestbodyContentApplicationJsonSchema>: .
[(Any) <Object>]: This indicates any property can be added to this object.
[AppliedPoliciesOnly <Boolean?>]:
[SignInConditions <IMicrosoftGraphSignInConditions>]: signInConditions
[(Any) <Object>]: This indicates any property can be added to this object.
[AuthenticationFlow <IMicrosoftGraphAuthenticationFlow>]: authenticationFlow
[(Any) <Object>]: This indicates any property can be added to this object.
[TransferMethod <String>]: conditionalAccessTransferMethods
[ClientAppType <String>]: conditionalAccessClientApp
[Country <String>]: Country from where the identity is authenticating.
[DeviceInfo <IMicrosoftGraphDeviceInfo>]: deviceInfo
[(Any) <Object>]: This indicates any property can be added to this object.
[DeviceId <String>]: Unique identifier set by Azure Device Registration Service at the time of registration.
[DisplayName <String>]: The display name for the device.
[EnrollmentProfileName <String>]: Enrollment profile applied to the device.
[ExtensionAttribute1 <String>]: Extension attribute.
[ExtensionAttribute10 <String>]: Extension attribute.
[ExtensionAttribute11 <String>]: Extension attribute.
[ExtensionAttribute12 <String>]: Extension attribute.
[ExtensionAttribute13 <String>]: Extension attribute.
[ExtensionAttribute14 <String>]: Extension attribute.
[ExtensionAttribute15 <String>]: Extension attribute.
[ExtensionAttribute2 <String>]: Extension attribute.
[ExtensionAttribute3 <String>]: Extension attribute.
[ExtensionAttribute4 <String>]: Extension attribute.
[ExtensionAttribute5 <String>]: Extension attribute.
[ExtensionAttribute6 <String>]: Extension attribute.
[ExtensionAttribute7 <String>]: Extension attribute.
[ExtensionAttribute8 <String>]: Extension attribute.
[ExtensionAttribute9 <String>]: Extension attribute.
[IsCompliant <Boolean?>]: Indicates the device compliance status with Mobile Management Device (MDM) policies.
Default is false.
[Manufacturer <String>]: Manufacturer of the device.
[MdmAppId <String>]: Application identifier used to register device into MDM.
[Model <String>]: Model of the device.
[OperatingSystem <String>]: The type of operating system on the device.
[OperatingSystemVersion <String>]: The version of the operating system on the device.
[Ownership <String>]: Ownership of the device.
This property is set by Intune.
[PhysicalIds <String[]>]: A collection of physical identifiers for the device.
[ProfileType <String>]: The profile type of the device.
[SystemLabels <String[]>]: List of labels applied to the device by the system.
[TrustType <String>]: Type of trust for the joined device.
[DevicePlatform <String>]: conditionalAccessDevicePlatform
[IPAddress <String>]: Ip address of the authenticating identity.
[InsiderRiskLevel <String>]: insiderRiskLevel
[ServicePrincipalRiskLevel <String>]: riskLevel
[SignInRiskLevel <String>]: riskLevel
[UserRiskLevel <String>]: riskLevel
[SignInContext <IMicrosoftGraphSignInContext>]: signInContext
[(Any) <Object>]: This indicates any property can be added to this object.
[SignInIdentity <IMicrosoftGraphSignInIdentity>]: signInIdentity
[(Any) <Object>]: This indicates any property can be added to this object.
SIGNINCONDITIONS <IMicrosoftGraphSignInConditions>: signInConditions
[(Any) <Object>]: This indicates any property can be added to this object.
[AuthenticationFlow <IMicrosoftGraphAuthenticationFlow>]: authenticationFlow
[(Any) <Object>]: This indicates any property can be added to this object.
[TransferMethod <String>]: conditionalAccessTransferMethods
[ClientAppType <String>]: conditionalAccessClientApp
[Country <String>]: Country from where the identity is authenticating.
[DeviceInfo <IMicrosoftGraphDeviceInfo>]: deviceInfo
[(Any) <Object>]: This indicates any property can be added to this object.
[DeviceId <String>]: Unique identifier set by Azure Device Registration Service at the time of registration.
[DisplayName <String>]: The display name for the device.
[EnrollmentProfileName <String>]: Enrollment profile applied to the device.
[ExtensionAttribute1 <String>]: Extension attribute.
[ExtensionAttribute10 <String>]: Extension attribute.
[ExtensionAttribute11 <String>]: Extension attribute.
[ExtensionAttribute12 <String>]: Extension attribute.
[ExtensionAttribute13 <String>]: Extension attribute.
[ExtensionAttribute14 <String>]: Extension attribute.
[ExtensionAttribute15 <String>]: Extension attribute.
[ExtensionAttribute2 <String>]: Extension attribute.
[ExtensionAttribute3 <String>]: Extension attribute.
[ExtensionAttribute4 <String>]: Extension attribute.
[ExtensionAttribute5 <String>]: Extension attribute.
[ExtensionAttribute6 <String>]: Extension attribute.
[ExtensionAttribute7 <String>]: Extension attribute.
[ExtensionAttribute8 <String>]: Extension attribute.
[ExtensionAttribute9 <String>]: Extension attribute.
[IsCompliant <Boolean?>]: Indicates the device compliance status with Mobile Management Device (MDM) policies.
Default is false.
[Manufacturer <String>]: Manufacturer of the device.
[MdmAppId <String>]: Application identifier used to register device into MDM.
[Model <String>]: Model of the device.
[OperatingSystem <String>]: The type of operating system on the device.
[OperatingSystemVersion <String>]: The version of the operating system on the device.
[Ownership <String>]: Ownership of the device.
This property is set by Intune.
[PhysicalIds <String[]>]: A collection of physical identifiers for the device.
[ProfileType <String>]: The profile type of the device.
[SystemLabels <String[]>]: List of labels applied to the device by the system.
[TrustType <String>]: Type of trust for the joined device.
[DevicePlatform <String>]: conditionalAccessDevicePlatform
[IPAddress <String>]: Ip address of the authenticating identity.
[InsiderRiskLevel <String>]: insiderRiskLevel
[ServicePrincipalRiskLevel <String>]: riskLevel
[SignInRiskLevel <String>]: riskLevel
[UserRiskLevel <String>]: riskLevel