New-CMConditionalAccessPolicy

Creates a conditional access policy.

Syntax

New-CMConditionalAccessPolicy
   [-Confirm]
   [-DefaultRuleOverride]
   [-DisableWildcardHandling]
   [-ExcludedCollection <IResultObject[]>]
   [-ForceWildcardHandling]
   [-NotificationText <String>]
   -TargetedCollection <IResultObject[]>
   [-WhatIf]
   [<CommonParameters>]
New-CMConditionalAccessPolicy [-Confirm] [-DefaultRuleOverride] [-DisableWildcardHandling]
 [-ExcludedCollectionId ] [-ForceWildcardHandling] [-NotificationText ]
 -TargetedCollectionId  [-WhatIf] []
New-CMConditionalAccessPolicy [-Confirm] [-DefaultRuleOverride] [-DisableWildcardHandling]
 [-ExcludedCollectionName ] [-ForceWildcardHandling] [-NotificationText ]
 -TargetedCollectionName  [-WhatIf] []

Description

The New-CMConditionalAccessPolicy cmdlet creates a conditional access policy.

NOTE: Ensure that the Administrator has set the notification email address for the Exchange connector before running this cmdlet.

Examples

Example 1: Create a conditional access policy by value

PS C:\> New-CMConditionalAccessPolicy -TargetedCollection (Get-CMCollection -Name 'All Users') -DefaultRuleOverride -ExcludedCollection (Get-CMCollection -Name "TestCol") -NotificationText "Succeedtest"

This command creates a conditional access policy with a targeted collection named All Users and an excluded collection named TestCol. The command provides text for the user notification sent by Exchange when the user's device is blocked.

Example 2: Create a conditional access policy by ID

PS C:\> New-CMConditionalAccessPolicy -TargetedCollectionId sms00004 -ExcludedCollectionID TS300014 -NotificationText "Test text" -DefaultRuleOverride

This command creates a conditional access policy with a targeted collection with the ID of sms00004 and an excluded collection with the ID TS300014. The command provides text for the user notification sent by Exchange when the user's device is blocked.

Example 3: Create a conditional access policy by name

PS C:\> New-CMConditionalAccessPolicy -TargetedCollectionName "All Users" -ExcludedCollectionName "TestCol1" -NotificationText "Test text" -DefaultRuleOverride

This command creates a conditional access policy with a targeted collection named All Users and an excluded collection named TestCol1. The command provides text for the user notification sent by Exchange when the user's device is blocked.

Required Parameters

-TargetedCollection

Specifies an array of user collection objects. To obtain a user collection object, use the Get-CMCollection cmdlet.Members of these collections must enroll their devices in Microsoft Intune and be compliant with any deployed compliance policies in order to access Exchange.

Type:IResultObject[]
Aliases:TargetedCollections
Required:True
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-TargetedCollectionId

Specifies an array of user collection IDs.Members of these collections must enroll their devices in Microsoft Intune and be compliant with any deployed compliance policies in order to access Exchange.

Type:String[]
Aliases:TargetedCollectionIds
Required:True
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-TargetedCollectionName

Specifies an array of user collection names.Members of these collections must enroll their devices in Microsoft Intune and be compliant with any deployed compliance policies in order to access Exchange.

Type:String[]
Aliases:TargetedCollectionNames
Required:True
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False

Optional Parameters

-Confirm

Prompts you for confirmation before running the cmdlet.

Type:SwitchParameter
Aliases:cf
Required:False
Position:Named
Default value:False
Accept pipeline input:False
Accept wildcard characters:False
-DefaultRuleOverride

Specifies that the devices that are enrolled in Microsoft Intune and compliant with the compliance policies are allowed to access Exchange. This rule overrides the default Exchange access rule, which means that even if you set the default rule to quarantine or block access, enrolled and compliant devices will still be able to access Exchange.

Type:SwitchParameter
Required:False
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-DisableWildcardHandling

Indicates that wildcard handling is disabled.

Type:SwitchParameter
Required:False
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-ExcludedCollection

Specifies an array of user collection objects. To obtain a user collection object, use the Get-CMCollection cmdlet.Members of these collections do not have to enroll their devices in Microsoft Intune, or be compliant with any deployed compliance policies in order to access Exchange, as long as the default Exchange rules allow access.

Type:IResultObject[]
Aliases:ExcludedCollections
Required:False
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-ExcludedCollectionId

Specifies an array of user collection IDs.Members of these collections do not have to enroll their devices in Microsoft Intune, or be compliant with any deployed compliance policies in order to access Exchange, as long as the default Exchange rules allow access.

Type:String[]
Aliases:ExcludedCollectionIds
Required:False
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-ExcludedCollectionName

Specifies an array of user collection names.Members of these collections do not have to enroll their devices in Microsoft Intune, or be compliant with any deployed compliance policies in order to access Exchange, as long as the default Exchange rules allow access.

Type:String[]
Aliases:ExcludedCollectionNames
Required:False
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-ForceWildcardHandling

Indicates that wildcard handling is enabled.

Type:SwitchParameter
Required:False
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-NotificationText

Specifies the text of the email that Exchange sends to users when their device is blocked.

Type:String
Required:False
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.

Type:SwitchParameter
Aliases:wi
Required:False
Position:Named
Default value:False
Accept pipeline input:False
Accept wildcard characters:False

Outputs

IResultObject#SMS_ConditionAccessManagement