Summary: This article contains step-by-step instructions on how to troubleshoot Conditional Access Policy (CAP) enforcement on Microsoft 365 connection account.
Applies to: Cayosoft Administrator 8.4.0 or higher
ID: KB20220419-1
Check if CAP affects Microsoft 365 connection account
- In Azure AD admin center navigate to Conditional Access Policies > What If and specify the following parameters:
- User or Workload identity: specify Microsoft 365 connection account.
- Cloud apps, actions, or authentication context: specify the cloud app you want to test. For example, Office 365 Exchange Online (00000002-0000-0ff1-ce00-000000000000)
- IP address: specify the IP address the user is signing in from.
- Country: specify the country the user is signing in from.
- Device platform: specify the device platform the user is signing in from. For example, Windows.
- Client apps: specify the client app the user is signing in from, Usually it is Mobile apps and desktop clients - Other clients.
- Device state (Preview): Leave the default.
- Sign-in risk: Leave the default.
- Click What if to get the reports of 'Policies that will apply' and 'Policies that will not apply'.
How to get continuous access evaluation settings information
- Run PowerShell ISE console with administrative privilege.
- Install Cayosoft.Graph module and get your Continuous access evaluation settings information. When prompted, specify admin account credential, then grant admin consent to execute the code:
Install-Module Cayosoft.Graph
Connect-CGraph -Scope "Policy.Read.All"
Get-CGraph continuousAccessEvaluationPolicy -beta -Parent "/identity" | ConvertTo-Json - The script below collects information about your conditional access policies. When prompted, specify the global administrator account credential:
<#
.SYNOPSIS
dump-cap.ps1 - Dump conditional access policy information
.DESCRIPTION
PRE-REQUIREMENTS:
HOW TO:
- Set the "$logFile" with the path and name of the file that would contain output
DESCRIPTION:
This script connects to the Azure AD and dumps conditional access policy information
.OUTPUTS
Results are printed to the file and console.
.NOTES
Copyright Cayosoft Inc. 2020
Change Log
V1.0, 2020-04-27 - Initial version
#> # -------- Configuration -------- # Results output file. Ex: "C:\Temp\RunlogFile.txt" $logFile=".\RunlogFile$([datetime]::now.ToString(""yyyyMMdd-HHmmssfff"")).txt" # Specify tenant name or leave default value "organizations" $tenant = "organizations" # -------- Do not modify script below this line -------- $credentials = $null function GetPasswordTokenV2($u, $p, $scope, $appId){
$reqBody = @{
"client_id"=$appId;
"scope"=$scope;
"username"=$u;
"password"=$p;
"grant_type"="password"
};
$jsonresult = Invoke-RestMethod -Method Post -Uri "https://login.microsoftonline.com/$tenant/oauth2/v2.0/token" -Headers $authHeader -ContentType 'application/x-www-form-urlencoded' -Body $reqBody return $jsonresult
}
function GetData($url, $token){
$authHeader = @{"Authorization" = "Bearer $token"}
$jsonresult = Invoke-RestMethod -Method Get -Uri "https://graph.microsoft.com/beta/$url" -Headers $authHeader -ContentType 'application/x-www-form-urlencoded' return $jsonresult
}
function Log($s){
$logStr="[$([datetime]::now.ToString(""yyyy-MM-dd HH:mm:ss.fff""))] $($s)" Add-Content -Path $logFile -Value $logStr Write-Host $logStr
}
function LogError($s){
$logStr="[$([datetime]::now.ToString(""yyyy-MM-dd HH:mm:ss.fff""))] $($s)" Add-Content -Path $logFile -Value $logStr Write-Error $logStr
}
Log "---------------------------------------"
Log "Dump CAPs script v1"
Log "---------------------------------------"
Log "" $credentials = Get-Credential -Message "Tenant global admin credentials:"
Log "Tenant: $($tenant) User: $($credentials.UserName)" $token = $null if ($null -ne $credentials){
try{
$token = GetPasswordTokenV2 $credentials.UserName $credentials.GetNetworkCredential().Password "https://graph.microsoft.com/.default" "1b730954-1685-4b74-9bfd-dac224a7b894"
Log "Connected."
}
catch{ LogError "Failed to establish connection. Error details: $($error[0])" }
}else{
LogError "No credentials provided. Please, provide valid credentials and try again."
}
if ($null -ne $token){
$policies = $null try{ $policies = GetData "identity/conditionalAccess/policies" $token.access_token }
catch{ LogError "Failed to get policy inforamtion. Error details: $($error[0])" }
if ($null -ne $policies) {
Log "Policy information:"
Log ($policies | ConvertTo-Json -Depth 10)
}else{
Log "No policy information."
}
}
Log "Done" Write-Host "Press enter to continue..." Read-Host
Comments
0 comments
Please sign in to leave a comment.