Closed Donovand4 closed 2 years ago
The portion of the module is listed as a beta feature and will require a profile change to load the beta module but will limit the script to the beta modules
Hello, I used beta profile (select-MgProfile) but I don't ahve device state info. Do you know why ?
PS > (Get-MgIdentityConditionalAccessPolicy | where DisplayName -eq 'A400 - Allow browser if not compliant or not hybrid join with MFA' | select -ExpandProperty Conditions | Select *).DeviceStates
ExcludeStates IncludeStates
------------- -------------
PS > (Get-MgIdentityConditionalAccessPolicy | where DisplayName -eq 'A400 - Allow browser if not compliant or not hybrid join with MFA' | select -ExpandProperty Conditions | Select *).Devices
ExcludeDeviceStates ExcludeDevices IncludeDeviceStates IncludeDevices
------------------- -------------- ------------------- --------------
{} {Compliant, DomainJoined} {} {All}
The issue is on API directly. Through Graph Explorer, I can't see Device State. I used Beta. With 1.0, the policy is not visible.
"devices": {
"includeDeviceStates": [],
"excludeDeviceStates": [],
"includeDevices": [
"All"
],
"excludeDevices": [
"Compliant",
"DomainJoined"
],
"deviceFilter": null
}
Correct, I remember the structure changed which made it more difficult to keep track of the information between preview releases.
DeviceState si deprecated. Now it's Device Filter. To retrieve config, you can replace your lines (226/227) with this:
"DevicesFilterStatesMode" = if ($pol.Conditions.Devices.DeviceFilter.Mode) {$pol.Conditions.Devices.DeviceFilter.Mode -join ","} else {"Failed to Report"} "DevicesFilterStatesRule" = if ($pol.Conditions.Devices.DeviceFilter.Rule) {$pol.Conditions.Devices.DeviceFilter.Rule -join ","} else {"Failed to Report"}
And also line 252 with that:
$ReportData = $Report | Select-Object -Property Displayname,Description,State,ID,createdDateTime,ModifiedDateTime,UserIncludeUsers,UserExcludeUsers,UserIncludeGroups,UserExcludeGroups,ConditionSignInRiskLevels,ConditionClientAppTypes,PlatformIncludePlatforms,PlatformExcludePlatforms,DevicesFilterStatesMode,DevicesFilterStatesRule,ApplicationIncludeApplications,ApplicationExcludeApplications,ApplicationIncludeUserActions,LocationIncludeLocations,LocationExcludeLocations,GrantControlBuiltInControls,GrantControlTermsOfUse,GrantControlOperator,GrantControlCustomAuthenticationFactors,ApplicationEnforcedRestrictions,CloudAppSecurityCloudAppSecurityType,CloudAppSecurityIsEnabled,PersistentBrowserIsEnabled,PersistentBrowserMode,SignInFrequencyIsEnabled,SignInFrequencyType,SignInFrequencyValue | Sort-Object -Property Displayname
Updated the repo to make use of the new modules and included updated conditions provided by @MathiasMSFT
Get-MgIdentityConditionalAccessPolicy Fails to Retrieve Policies that are configured with device states.
https://github.com/microsoftgraph/msgraph-sdk-powershell/issues/431