**CODE** param( [string] [Parameter(Mandatory = $true)] $parametersfilePath ) #Initializing parameters if (Test-Path -Path $parametersfilePath) { $jsonModuledetails = Get-Content -Path $parametersfilePath $details = $jsonModuledetails | ConvertFrom-Json } $conditionalAccessPolicies = $details.parameters.conditionalAcessPolicies.value function conditionalAccessPolicies() { try { $conditions = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessConditionSet $conditions.Applications = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessApplicationCondition if (![string]::IsNullOrEmpty($conditionalAccessPolicy.includeApplications)) { $conditions.Applications.IncludeApplications = $conditionalAccessPolicy.includeApplications } if (![string]::IsNullOrEmpty($conditionalAccessPolicy.includeUserActions)) { $conditions.Applications.IncludeUserActions = $conditionalAccessPolicy.includeUserActions } $conditions.Users = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessUserCondition if (![string]::IsNullOrEmpty($conditionalAccessPolicy.includeUsers)) { $conditions.Users.IncludeUsers = $conditionalAccessPolicy.includeUsers } if (![string]::IsNullOrEmpty($conditionalAccessPolicy.excludeUsers)) { $conditions.Users.ExcludeUsers = $conditionalAccessPolicy.excludeUsers } if (![string]::IsNullOrEmpty($conditionalAccessPolicy.clientAppTypes)) { $conditions.ClientAppTypes = $conditionalAccessPolicy.clientAppTypes } if(![string]::IsNullOrEmpty($conditionalAccessPolicy.includeLocations) -or ![string]::IsNullOrEmpty($conditionalAccessPolicy.excludeLocations)){ $conditions.Locations = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessLocationCondition if (![string]::IsNullOrEmpty($conditionalAccessPolicy.includeLocations)) { $conditions.Locations.IncludeLocations = $conditionalAccessPolicy.includeLocations } if (![string]::IsNullOrEmpty($conditionalAccessPolicy.excludeLocations)) { $conditions.Locations.ExcludeLocations = $conditionalAccessPolicy.excludeLocations } } if (![string]::IsNullOrEmpty($conditionalAccessPolicy.grantControlOperator)) { $grantControls = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessGrantControls $grantControls._Operator = $conditionalAccessPolicy.grantControlOperator $grantControls.BuiltInControls = $conditionalAccessPolicy.grantBuiltInControls } $sessionControls = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessSessionControls if (![string]::IsNullOrEmpty($conditionalAccessPolicy.signInFrequency.type)) { $sessionControls.SignInFrequency = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessSignInFrequency $sessionControls.SignInFrequency.IsEnabled = $conditionalAccessPolicy.signInFrequency.isEnabled $sessionControls.SignInFrequency.Type = $conditionalAccessPolicy.signInFrequency.type $sessionControls.SignInFrequency.Value = $conditionalAccessPolicy.signInFrequency.value } if (![string]::IsNullOrEmpty($sessionControls.PersistentBrowser.Mode)) { $sessionControls.PersistentBrowser = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessPersistentBrowser $sessionControls.PersistentBrowser.Mode = $conditionalAccessPolicy.persistentBrowser.mode $sessionControls.PersistentBrowser.IsEnabled = $conditionalAccessPolicy.persistentBrowser.isEnabled } New-AzureADMSConditionalAccessPolicy -DisplayName $conditionalAccessPolicy.policyDisplayName -State $conditionalAccessPolicy.state -Conditions $conditions -GrantControls $grantControls -SessionControls $sessionControls -Debug -Verbose } catch { Write-Information -InformationAction Continue -MessageData " Failed to add conditional access policy - $($conditionalAccessPolicy.policyDisplayName): Error- $($_.exception)" throw $_.exception } } foreach ($conditionalAccessPolicy in $conditionalAccessPolicies) { $getConditionalPolicy = (Get-AzureADMSConditionalAccessPolicy | Where-Object { $_.displayname -eq $conditionalAccessPolicy.policyDisplayName }) if (!$getConditionalPolicy) { conditionalAccessPolicies } else { Write-Information -InformationAction Continue -MessageData " Conditional access policy - $($conditionalAccessPolicy.policyDisplayName) already exist." } } **INPUT PARAMS** "conditionalAcessPolicies": { "value": [ { "policyDisplayName": "AZTS Location Restriction Policy", "state": "Enabled", "includeApplications": ["XXXXXXXXXXXXXXXXXXXXX"], "includeUserActions": "", "includeUsers": "all", "excludeUsers": ["XXXXXXXXXXXXXX"], "clientAppTypes": ["all"], "includeLocations": "all", "excludeLocations": ["XXXXXXXXXXXXXXXX"], "grantControlOperator": "OR", "grantBuiltInControls": "block", "signInFrequency": { "isEnabled": "", "type": "", "value": "" }, "persistentBrowser": { "mode": "", "isEnabled": "" } }, { "policyDisplayName": "Location based restriction", "state": "Disabled", "includeApplications": "all", "includeUserActions": "", "includeUsers": ["XXXXXXXXXXXXXXXX"], "excludeUsers": [""], "clientAppTypes": ["all"], "includeLocations": "all", "excludeLocations": ["XXXXXXXXXXXXX"], "grantControlOperator": "OR", "grantBuiltInControls": "block", "signInFrequency": { "isEnabled": "", "type": "", "value": "" }, "persistentBrowser": { "mode": "", "isEnabled": "" } }, { "policyDisplayName": "All apps MFA & Location", "state": "Enabled", "includeApplications": "all", "includeUserActions": "", "includeUsers": "all", "excludeUsers": ["XXXXXXXXXXXX"], "clientAppTypes": ["Browser", "mobileAppsAndDesktopClients", "ExchangeActiveSync", "Other"], "includeLocations": "", "excludeLocations": "", "grantControlOperator": "OR", "grantBuiltInControls": ["mfa", "compliantDevice"], "signInFrequency": { "isEnabled": true, "type": "hours", "value": 8 }, "persistentBrowser": { "mode": "never", "isEnabled": true } }, { "policyDisplayName": "MFA for Device Enrollment", "state": "Enabled", "includeApplications": "", "includeUserActions": "urn:user:registerdevice", "includeUsers": "all", "excludeUsers": ["XXXXXXXXXX"], "clientAppTypes": ["all"], "includeLocations": "", "excludeLocations": "", "grantControlOperator": "OR", "grantBuiltInControls": ["mfa"], "signInFrequency": { "isEnabled": "", "type": "", "value": "" }, "persistentBrowser": { "mode": "", "isEnabled": "" } } ] }