Articles in this section

See more
Print

Troubleshooting Conditional Access Policy enforcement on Office 365 Connection Account

  • Updated
Follow

Summary: This article contains step-by-step instructions on how to troubleshoot Conditional Access Policy (CAP) enforcement on Microsoft 365 connection account.

Applies to: Cayosoft Administrator 8.4.0 or higher  

ID: KB20220419-1

Check if CAP affects Microsoft 365 connection account

  1. In Azure AD admin center navigate to Conditional Access Policies > What If and specify the following parameters:
    1. User or Workload identity: specify Microsoft 365 connection account.
    2. Cloud apps, actions, or authentication context: specify the cloud app you want to test. For example, Office 365 Exchange Online (00000002-0000-0ff1-ce00-000000000000)
    3. IP address: specify the IP address the user is signing in from.
    4. Country: specify the country the user is signing in from.
    5. Device platform: specify the device platform the user is signing in from. For example, Windows.
    6. Client apps: specify the client app the user is signing in from, Usually it is Mobile apps and desktop clients - Other clients.
    7. Device state (Preview): Leave the default.
    8. Sign-in risk: Leave the default.
  2.  Click What if to get the reports of 'Policies that will apply' and 'Policies that will not apply'.

 

How to get continuous access evaluation settings information

  1.  Run PowerShell ISE console with administrative privilege.
  2.  Install Cayosoft.Graph module and get your Continuous access evaluation settings information. When prompted, specify admin account credential, then grant admin consent to execute the code:
     
    Install-Module Cayosoft.Graph
    Connect-CGraph -Scope "Policy.Read.All" 
    Get-CGraph continuousAccessEvaluationPolicy -beta -Parent "/identity" | ConvertTo-Json
  3. The script below collects information about your conditional access policies. When prompted, specify the global administrator account credential:
     
    <# 
    .SYNOPSIS 
    dump-cap.ps1 - Dump conditional access policy information
     
    .DESCRIPTION
    PRE-REQUIREMENTS:
    HOW TO:
    - Set the "$logFile" with the path and name of the file that would contain output
    DESCRIPTION:
    This script connects to the Azure AD and dumps conditional access policy information
     
    .OUTPUTS 
    Results are printed to the file and console.
     
    .NOTES 
    Copyright Cayosoft Inc. 2020 
     
    Change Log 
    V1.0, 2020-04-27 - Initial version 
    #> # -------- Configuration -------- # Results output file. Ex: "C:\Temp\RunlogFile.txt" $logFile=".\RunlogFile$([datetime]::now.ToString(""yyyyMMdd-HHmmssfff"")).txt" # Specify tenant name or leave default value "organizations" $tenant = "organizations" # -------- Do not modify script below this line -------- $credentials = $null function GetPasswordTokenV2($u, $p, $scope, $appId){
      $reqBody = @{
        "client_id"=$appId;
        "scope"=$scope;
        "username"=$u;
        "password"=$p;
        "grant_type"="password"
      };
      $jsonresult = Invoke-RestMethod -Method Post -Uri "https://login.microsoftonline.com/$tenant/oauth2/v2.0/token" -Headers $authHeader -ContentType 'application/x-www-form-urlencoded' -Body $reqBody return $jsonresult
    }
    function GetData($url, $token){
      $authHeader = @{"Authorization" = "Bearer $token"}
      $jsonresult = Invoke-RestMethod -Method Get -Uri "https://graph.microsoft.com/beta/$url" -Headers $authHeader -ContentType 'application/x-www-form-urlencoded' return $jsonresult
    }
    function Log($s){
      $logStr="[$([datetime]::now.ToString(""yyyy-MM-dd HH:mm:ss.fff""))] $($s)" Add-Content -Path $logFile -Value $logStr Write-Host $logStr
    }
    function LogError($s){
      $logStr="[$([datetime]::now.ToString(""yyyy-MM-dd HH:mm:ss.fff""))] $($s)" Add-Content -Path $logFile -Value $logStr Write-Error $logStr
    }
    Log "---------------------------------------"
    Log "Dump CAPs script v1"
    Log "---------------------------------------"
    Log "" $credentials = Get-Credential -Message "Tenant global admin credentials:"
    Log "Tenant: $($tenant) User: $($credentials.UserName)" $token = $null if ($null -ne $credentials){
      try{
        $token = GetPasswordTokenV2 $credentials.UserName $credentials.GetNetworkCredential().Password "https://graph.microsoft.com/.default" "1b730954-1685-4b74-9bfd-dac224a7b894"
        
        Log "Connected."
      }
      catch{ LogError "Failed to establish connection. Error details: $($error[0])" }
    }else{
      LogError "No credentials provided. Please, provide valid credentials and try again."
    }
    if ($null -ne $token){
      $policies = $null try{ $policies = GetData "identity/conditionalAccess/policies" $token.access_token }
      catch{ LogError "Failed to get policy inforamtion. Error details: $($error[0])" } 
      
      if ($null -ne $policies) {
        Log "Policy information:"
        Log ($policies | ConvertTo-Json -Depth 10)
      }else{
        Log "No policy information."
      }
    }
    Log "Done" Write-Host "Press enter to continue..." Read-Host



Related articles

Comments

0 comments

Please sign in to leave a comment.