New-MgIdentityConditionalAccessPolicy

Create new navigation property to policies for identity

Syntax

New-MgIdentityConditionalAccessPolicy
   [-AdditionalProperties <Hashtable>]
   [-Conditions <IMicrosoftGraphConditionalAccessConditionSet1>]
   [-CreatedDateTime <DateTime>]
   [-Description <String>]
   [-DisplayName <String>]
   [-GrantControls <IMicrosoftGraphConditionalAccessGrantControls>]
   [-Id <String>]
   [-ModifiedDateTime <DateTime>]
   [-SessionControls <IMicrosoftGraphConditionalAccessSessionControls1>]
   [-State <String>]
   [-WhatIf]
   [-Confirm]
   [<CommonParameters>]
New-MgIdentityConditionalAccessPolicy
   -BodyParameter <IMicrosoftGraphConditionalAccessPolicy1>
   [-WhatIf]
   [-Confirm]
   [<CommonParameters>]

Description

Create new navigation property to policies for identity

Parameters

-AdditionalProperties

Additional Parameters

Type:Hashtable
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-BodyParameter

conditionalAccessPolicy To construct, please use Get-Help -Online and see NOTES section for BODYPARAMETER properties and create a hash table.

Type:IMicrosoftGraphConditionalAccessPolicy1
Position:Named
Default value:None
Accept pipeline input:True
Accept wildcard characters:False
-Conditions

conditionalAccessConditionSet To construct, please use Get-Help -Online and see NOTES section for CONDITIONS properties and create a hash table.

Type:IMicrosoftGraphConditionalAccessConditionSet1
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-Confirm

Prompts you for confirmation before running the cmdlet.

Type:SwitchParameter
Aliases:cf
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-CreatedDateTime

The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Readonly.

Type:DateTime
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-Description

Not used.

Type:String
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-DisplayName

Specifies a display name for the conditionalAccessPolicy object.

Type:String
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-GrantControls

conditionalAccessGrantControls To construct, please use Get-Help -Online and see NOTES section for GRANTCONTROLS properties and create a hash table.

Type:IMicrosoftGraphConditionalAccessGrantControls
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-Id

.

Type:String
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-ModifiedDateTime

The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Readonly.

Type:DateTime
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-SessionControls

conditionalAccessSessionControls To construct, please use Get-Help -Online and see NOTES section for SESSIONCONTROLS properties and create a hash table.

Type:IMicrosoftGraphConditionalAccessSessionControls1
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-State

conditionalAccessPolicyState

Type:String
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.

Type:SwitchParameter
Aliases:wi
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False

Inputs

Microsoft.Graph.PowerShell.Models.IMicrosoftGraphConditionalAccessPolicy1

Outputs

Microsoft.Graph.PowerShell.Models.IMicrosoftGraphConditionalAccessPolicy1

Notes

ALIASES

COMPLEX PARAMETER PROPERTIES

To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables.

BODYPARAMETER <IMicrosoftGraphConditionalAccessPolicy1>: conditionalAccessPolicy

  • [(Any) <Object>]: This indicates any property can be added to this object.
  • [Id <String>]:
  • [Conditions <IMicrosoftGraphConditionalAccessConditionSet1>]: conditionalAccessConditionSet
    • [(Any) <Object>]: This indicates any property can be added to this object.
    • [Applications <IMicrosoftGraphConditionalAccessApplications>]: conditionalAccessApplications
      • [(Any) <Object>]: This indicates any property can be added to this object.
      • [ExcludeApplications <String[]>]: The list of application IDs explicitly excluded from the policy.
      • [IncludeApplications <String[]>]: The list of application IDs the policy applies to, unless explicitly excluded (in excludeApplications). Can also be set to All.
      • [IncludeAuthenticationContextClassReferences <String[]>]: Authentication context class references include. Supported values are c1 through c25.
      • [IncludeUserActions <String[]>]: User actions to include. Supported values are urn:user:registersecurityinfo and urn:user:registerdevice
    • [ClientAppTypes <String[]>]: Client application types included in the policy. Possible values are: all, browser, mobileAppsAndDesktopClients, exchangeActiveSync, easSupported, other. Required.
    • [ClientApplications <IMicrosoftGraphConditionalAccessClientApplications>]: conditionalAccessClientApplications
      • [(Any) <Object>]: This indicates any property can be added to this object.
      • [ExcludeServicePrincipals <String[]>]: Service principal IDs excluded from the policy scope.
      • [IncludeServicePrincipals <String[]>]: Service principal IDs included in the policy scope, or ServicePrincipalsInMyTenant.
    • [DeviceStates <IMicrosoftGraphConditionalAccessDeviceStates>]: conditionalAccessDeviceStates
      • [(Any) <Object>]: This indicates any property can be added to this object.
      • [ExcludeStates <String[]>]: States excluded from the scope of the policy. Possible values: Compliant, DomainJoined.
      • [IncludeStates <String[]>]: States in the scope of the policy. All is the only allowed value.
    • [Devices <IMicrosoftGraphConditionalAccessDevices1>]: conditionalAccessDevices
      • [(Any) <Object>]: This indicates any property can be added to this object.
      • [DeviceFilter <IMicrosoftGraphConditionalAccessFilter>]: conditionalAccessFilter
        • [(Any) <Object>]: This indicates any property can be added to this object.
        • [Mode <String>]: filterMode
        • [Rule <String>]: Rule syntax is similar to that used for membership rules for groups in Azure Active Directory. For details, see rules with multiple expressions
      • [ExcludeDeviceStates <String[]>]:
      • [ExcludeDevices <String[]>]: States excluded from the scope of the policy. Possible values: Compliant, DomainJoined. Cannot be set if deviceFIlter is set.
      • [IncludeDeviceStates <String[]>]:
      • [IncludeDevices <String[]>]: States in the scope of the policy. All is the only allowed value. Cannot be set if deviceFIlter is set.
    • [Locations <IMicrosoftGraphConditionalAccessLocations>]: conditionalAccessLocations
      • [(Any) <Object>]: This indicates any property can be added to this object.
      • [ExcludeLocations <String[]>]: Location IDs excluded from scope of policy.
      • [IncludeLocations <String[]>]: Location IDs in scope of policy unless explicitly excluded, All, or AllTrusted.
    • [Platforms <IMicrosoftGraphConditionalAccessPlatforms>]: conditionalAccessPlatforms
      • [(Any) <Object>]: This indicates any property can be added to this object.
      • [ExcludePlatforms <String[]>]: Possible values are: android, iOS, windows, windowsPhone, macOS, all, unknownFutureValue, linux.
      • [IncludePlatforms <String[]>]: Possible values are: android, iOS, windows, windowsPhone, macOS, all, unknownFutureValue,linux``.
    • [ServicePrincipalRiskLevels <String[]>]: Service principal risk levels included in the policy. Possible values are: low, medium, high, none, unknownFutureValue.
    • [SignInRiskLevels <String[]>]: Sign-in risk levels included in the policy. Possible values are: low, medium, high, hidden, none, unknownFutureValue. Required.
    • [UserRiskLevels <String[]>]: User risk levels included in the policy. Possible values are: low, medium, high, hidden, none, unknownFutureValue. Required.
    • [Users <IMicrosoftGraphConditionalAccessUsers>]: conditionalAccessUsers
      • [(Any) <Object>]: This indicates any property can be added to this object.
      • [ExcludeGroups <String[]>]: Group IDs excluded from scope of policy.
      • [ExcludeRoles <String[]>]: Role IDs excluded from scope of policy.
      • [ExcludeUsers <String[]>]: User IDs excluded from scope of policy and/or GuestsOrExternalUsers.
      • [IncludeGroups <String[]>]: Group IDs in scope of policy unless explicitly excluded, or All.
      • [IncludeRoles <String[]>]: Role IDs in scope of policy unless explicitly excluded, or All.
      • [IncludeUsers <String[]>]: User IDs in scope of policy unless explicitly excluded, or None or All or GuestsOrExternalUsers.
  • [CreatedDateTime <DateTime?>]: The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Readonly.
  • [Description <String>]: Not used.
  • [DisplayName <String>]: Specifies a display name for the conditionalAccessPolicy object.
  • [GrantControls <IMicrosoftGraphConditionalAccessGrantControls>]: conditionalAccessGrantControls
    • [(Any) <Object>]: This indicates any property can be added to this object.
    • [BuiltInControls <String[]>]: List of values of built-in controls required by the policy. Possible values: block, mfa, compliantDevice, domainJoinedDevice, approvedApplication, compliantApplication, passwordChange, unknownFutureValue.
    • [CustomAuthenticationFactors <String[]>]: List of custom controls IDs required by the policy. To learn more about custom control, see Custom controls (preview).
    • [Operator <String>]: Defines the relationship of the grant controls. Possible values: AND, OR.
    • [TermsOfUse <String[]>]: List of terms of use IDs required by the policy.
  • [ModifiedDateTime <DateTime?>]: The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Readonly.
  • [SessionControls <IMicrosoftGraphConditionalAccessSessionControls1>]: conditionalAccessSessionControls
    • [(Any) <Object>]: This indicates any property can be added to this object.
    • [ApplicationEnforcedRestrictions <IMicrosoftGraphApplicationEnforcedRestrictionsSessionControl>]: applicationEnforcedRestrictionsSessionControl
      • [(Any) <Object>]: This indicates any property can be added to this object.
      • [IsEnabled <Boolean?>]: Specifies whether the session control is enabled.
    • [CloudAppSecurity <IMicrosoftGraphCloudAppSecuritySessionControl>]: cloudAppSecuritySessionControl
      • [(Any) <Object>]: This indicates any property can be added to this object.
      • [IsEnabled <Boolean?>]: Specifies whether the session control is enabled.
      • [CloudAppSecurityType <String>]: cloudAppSecuritySessionControlType
    • [ContinuousAccessEvaluation <IMicrosoftGraphContinuousAccessEvaluationSessionControl>]: continuousAccessEvaluationSessionControl
      • [(Any) <Object>]: This indicates any property can be added to this object.
      • [Mode <String>]: continuousAccessEvaluationMode
    • [DisableResilienceDefaults <Boolean?>]: Session control that determines whether it is acceptable for Azure AD to extend existing sessions based on information collected prior to an outage or not.
    • [PersistentBrowser <IMicrosoftGraphPersistentBrowserSessionControl>]: persistentBrowserSessionControl
      • [(Any) <Object>]: This indicates any property can be added to this object.
      • [IsEnabled <Boolean?>]: Specifies whether the session control is enabled.
      • [Mode <String>]: persistentBrowserSessionMode
    • [SignInFrequency <IMicrosoftGraphSignInFrequencySessionControl1>]: signInFrequencySessionControl
      • [(Any) <Object>]: This indicates any property can be added to this object.
      • [IsEnabled <Boolean?>]: Specifies whether the session control is enabled.
      • [AuthenticationType <String>]: signInFrequencyAuthenticationType
      • [FrequencyInterval <String>]: signInFrequencyInterval
      • [Type <String>]: signinFrequencyType
      • [Value <Int32?>]: The number of days or hours.
  • [State <String>]: conditionalAccessPolicyState

CONDITIONS <IMicrosoftGraphConditionalAccessConditionSet1>: conditionalAccessConditionSet

  • [(Any) <Object>]: This indicates any property can be added to this object.
  • [Applications <IMicrosoftGraphConditionalAccessApplications>]: conditionalAccessApplications
    • [(Any) <Object>]: This indicates any property can be added to this object.
    • [ExcludeApplications <String[]>]: The list of application IDs explicitly excluded from the policy.
    • [IncludeApplications <String[]>]: The list of application IDs the policy applies to, unless explicitly excluded (in excludeApplications). Can also be set to All.
    • [IncludeAuthenticationContextClassReferences <String[]>]: Authentication context class references include. Supported values are c1 through c25.
    • [IncludeUserActions <String[]>]: User actions to include. Supported values are urn:user:registersecurityinfo and urn:user:registerdevice
  • [ClientAppTypes <String[]>]: Client application types included in the policy. Possible values are: all, browser, mobileAppsAndDesktopClients, exchangeActiveSync, easSupported, other. Required.
  • [ClientApplications <IMicrosoftGraphConditionalAccessClientApplications>]: conditionalAccessClientApplications
    • [(Any) <Object>]: This indicates any property can be added to this object.
    • [ExcludeServicePrincipals <String[]>]: Service principal IDs excluded from the policy scope.
    • [IncludeServicePrincipals <String[]>]: Service principal IDs included in the policy scope, or ServicePrincipalsInMyTenant.
  • [DeviceStates <IMicrosoftGraphConditionalAccessDeviceStates>]: conditionalAccessDeviceStates
    • [(Any) <Object>]: This indicates any property can be added to this object.
    • [ExcludeStates <String[]>]: States excluded from the scope of the policy. Possible values: Compliant, DomainJoined.
    • [IncludeStates <String[]>]: States in the scope of the policy. All is the only allowed value.
  • [Devices <IMicrosoftGraphConditionalAccessDevices1>]: conditionalAccessDevices
    • [(Any) <Object>]: This indicates any property can be added to this object.
    • [DeviceFilter <IMicrosoftGraphConditionalAccessFilter>]: conditionalAccessFilter
      • [(Any) <Object>]: This indicates any property can be added to this object.
      • [Mode <String>]: filterMode
      • [Rule <String>]: Rule syntax is similar to that used for membership rules for groups in Azure Active Directory. For details, see rules with multiple expressions
    • [ExcludeDeviceStates <String[]>]:
    • [ExcludeDevices <String[]>]: States excluded from the scope of the policy. Possible values: Compliant, DomainJoined. Cannot be set if deviceFIlter is set.
    • [IncludeDeviceStates <String[]>]:
    • [IncludeDevices <String[]>]: States in the scope of the policy. All is the only allowed value. Cannot be set if deviceFIlter is set.
  • [Locations <IMicrosoftGraphConditionalAccessLocations>]: conditionalAccessLocations
    • [(Any) <Object>]: This indicates any property can be added to this object.
    • [ExcludeLocations <String[]>]: Location IDs excluded from scope of policy.
    • [IncludeLocations <String[]>]: Location IDs in scope of policy unless explicitly excluded, All, or AllTrusted.
  • [Platforms <IMicrosoftGraphConditionalAccessPlatforms>]: conditionalAccessPlatforms
    • [(Any) <Object>]: This indicates any property can be added to this object.
    • [ExcludePlatforms <String[]>]: Possible values are: android, iOS, windows, windowsPhone, macOS, all, unknownFutureValue, linux.
    • [IncludePlatforms <String[]>]: Possible values are: android, iOS, windows, windowsPhone, macOS, all, unknownFutureValue,linux``.
  • [ServicePrincipalRiskLevels <String[]>]: Service principal risk levels included in the policy. Possible values are: low, medium, high, none, unknownFutureValue.
  • [SignInRiskLevels <String[]>]: Sign-in risk levels included in the policy. Possible values are: low, medium, high, hidden, none, unknownFutureValue. Required.
  • [UserRiskLevels <String[]>]: User risk levels included in the policy. Possible values are: low, medium, high, hidden, none, unknownFutureValue. Required.
  • [Users <IMicrosoftGraphConditionalAccessUsers>]: conditionalAccessUsers
    • [(Any) <Object>]: This indicates any property can be added to this object.
    • [ExcludeGroups <String[]>]: Group IDs excluded from scope of policy.
    • [ExcludeRoles <String[]>]: Role IDs excluded from scope of policy.
    • [ExcludeUsers <String[]>]: User IDs excluded from scope of policy and/or GuestsOrExternalUsers.
    • [IncludeGroups <String[]>]: Group IDs in scope of policy unless explicitly excluded, or All.
    • [IncludeRoles <String[]>]: Role IDs in scope of policy unless explicitly excluded, or All.
    • [IncludeUsers <String[]>]: User IDs in scope of policy unless explicitly excluded, or None or All or GuestsOrExternalUsers.

GRANTCONTROLS <IMicrosoftGraphConditionalAccessGrantControls>: conditionalAccessGrantControls

  • [(Any) <Object>]: This indicates any property can be added to this object.
  • [BuiltInControls <String[]>]: List of values of built-in controls required by the policy. Possible values: block, mfa, compliantDevice, domainJoinedDevice, approvedApplication, compliantApplication, passwordChange, unknownFutureValue.
  • [CustomAuthenticationFactors <String[]>]: List of custom controls IDs required by the policy. To learn more about custom control, see Custom controls (preview).
  • [Operator <String>]: Defines the relationship of the grant controls. Possible values: AND, OR.
  • [TermsOfUse <String[]>]: List of terms of use IDs required by the policy.

SESSIONCONTROLS <IMicrosoftGraphConditionalAccessSessionControls1>: conditionalAccessSessionControls

  • [(Any) <Object>]: This indicates any property can be added to this object.
  • [ApplicationEnforcedRestrictions <IMicrosoftGraphApplicationEnforcedRestrictionsSessionControl>]: applicationEnforcedRestrictionsSessionControl
    • [(Any) <Object>]: This indicates any property can be added to this object.
    • [IsEnabled <Boolean?>]: Specifies whether the session control is enabled.
  • [CloudAppSecurity <IMicrosoftGraphCloudAppSecuritySessionControl>]: cloudAppSecuritySessionControl
    • [(Any) <Object>]: This indicates any property can be added to this object.
    • [IsEnabled <Boolean?>]: Specifies whether the session control is enabled.
    • [CloudAppSecurityType <String>]: cloudAppSecuritySessionControlType
  • [ContinuousAccessEvaluation <IMicrosoftGraphContinuousAccessEvaluationSessionControl>]: continuousAccessEvaluationSessionControl
    • [(Any) <Object>]: This indicates any property can be added to this object.
    • [Mode <String>]: continuousAccessEvaluationMode
  • [DisableResilienceDefaults <Boolean?>]: Session control that determines whether it is acceptable for Azure AD to extend existing sessions based on information collected prior to an outage or not.
  • [PersistentBrowser <IMicrosoftGraphPersistentBrowserSessionControl>]: persistentBrowserSessionControl
    • [(Any) <Object>]: This indicates any property can be added to this object.
    • [IsEnabled <Boolean?>]: Specifies whether the session control is enabled.
    • [Mode <String>]: persistentBrowserSessionMode
  • [SignInFrequency <IMicrosoftGraphSignInFrequencySessionControl1>]: signInFrequencySessionControl
    • [(Any) <Object>]: This indicates any property can be added to this object.
    • [IsEnabled <Boolean?>]: Specifies whether the session control is enabled.
    • [AuthenticationType <String>]: signInFrequencyAuthenticationType
    • [FrequencyInterval <String>]: signInFrequencyInterval
    • [Type <String>]: signinFrequencyType
    • [Value <Int32?>]: The number of days or hours.