search

Donovand4 / ConditionalAccessPolicyReport

PowerShell Script used to create a report for Azure AD Conditional Access Policies.
MIT License
31 stars 17 forks source link

Device States Not Reporting #7

Closed Donovand4 closed 2 years ago

Donovand4 commented 4 years ago

Get-MgIdentityConditionalAccessPolicy Fails to Retrieve Policies that are configured with device states.

https://github.com/microsoftgraph/msgraph-sdk-powershell/issues/431

Donovand4 commented 3 years ago

The portion of the module is listed as a beta feature and will require a profile change to load the beta module but will limit the script to the beta modules

MathiasMSFT commented 2 years ago

Hello, I used beta profile (select-MgProfile) but I don't ahve device state info. Do you know why ?

PS > (Get-MgIdentityConditionalAccessPolicy | where DisplayName -eq 'A400 - Allow browser if not compliant or not hybrid join with MFA' |  select -ExpandProperty Conditions | Select *).DeviceStates

ExcludeStates IncludeStates
------------- -------------
PS > (Get-MgIdentityConditionalAccessPolicy | where DisplayName -eq 'A400 - Allow browser if not compliant or not hybrid join with MFA' |  select -ExpandProperty Conditions | Select *).Devices

ExcludeDeviceStates ExcludeDevices            IncludeDeviceStates IncludeDevices
------------------- --------------            ------------------- --------------
{}                  {Compliant, DomainJoined} {}                  {All}
MathiasMSFT commented 2 years ago

The issue is on API directly. Through Graph Explorer, I can't see Device State. I used Beta. With 1.0, the policy is not visible.

                "devices": {
                    "includeDeviceStates": [],
                    "excludeDeviceStates": [],
                    "includeDevices": [
                        "All"
                    ],
                    "excludeDevices": [
                        "Compliant",
                        "DomainJoined"
                    ],
                    "deviceFilter": null
                }
Donovand4 commented 2 years ago

Correct, I remember the structure changed which made it more difficult to keep track of the information between preview releases.

MathiasMSFT commented 2 years ago

DeviceState si deprecated. Now it's Device Filter. To retrieve config, you can replace your lines (226/227) with this:

"DevicesFilterStatesMode" = if ($pol.Conditions.Devices.DeviceFilter.Mode) {$pol.Conditions.Devices.DeviceFilter.Mode -join ","} else {"Failed to Report"} "DevicesFilterStatesRule" = if ($pol.Conditions.Devices.DeviceFilter.Rule) {$pol.Conditions.Devices.DeviceFilter.Rule -join ","} else {"Failed to Report"}

And also line 252 with that:

$ReportData = $Report | Select-Object -Property Displayname,Description,State,ID,createdDateTime,ModifiedDateTime,UserIncludeUsers,UserExcludeUsers,UserIncludeGroups,UserExcludeGroups,ConditionSignInRiskLevels,ConditionClientAppTypes,PlatformIncludePlatforms,PlatformExcludePlatforms,DevicesFilterStatesMode,DevicesFilterStatesRule,ApplicationIncludeApplications,ApplicationExcludeApplications,ApplicationIncludeUserActions,LocationIncludeLocations,LocationExcludeLocations,GrantControlBuiltInControls,GrantControlTermsOfUse,GrantControlOperator,GrantControlCustomAuthenticationFactors,ApplicationEnforcedRestrictions,CloudAppSecurityCloudAppSecurityType,CloudAppSecurityIsEnabled,PersistentBrowserIsEnabled,PersistentBrowserMode,SignInFrequencyIsEnabled,SignInFrequencyType,SignInFrequencyValue | Sort-Object -Property Displayname

Donovand4 commented 2 years ago

Updated the repo to make use of the new modules and included updated conditions provided by @MathiasMSFT