|
1 | 1 | <# |
2 | 2 | .SYNOPSIS |
3 | | - Export Microsoft Entra ID (Azure AD) Conditional Access (CA) policies—with 33 |
4 | | - detailed attributes—to a timestamped CSV file for audit, compliance, and reporting. |
| 3 | + Export Conditional Access (CA) policies from Microsoft Entra ID (Azure AD) to a structured CSV file. |
5 | 4 | .DESCRIPTION |
6 | | - This script connects to Microsoft Graph (beta) and exports Conditional Access |
7 | | - policies in your tenant into a single CSV. Out-of-the-box it supports: |
8 | | - • Six report types covering 33 attributes for deep policy analysis |
9 | | - • All policies (default), Active (enabled), Disabled, Report-only mode |
10 | | - • Time-based filters: recently created or modified policies |
11 | | - • Interactive MFA or certificate-based authentication |
12 | | - • Automatic installation of the Graph Beta module if missing |
13 | | - • Scheduler-friendly, non-GUI operation with optional “open file” prompt |
| 5 | + This script uses Microsoft Graph (beta) to extract Conditional Access policy configurations into a timestamped CSV report for audit, compliance, and operational insight. |
| 6 | +
|
| 7 | + Features: |
| 8 | + • Filters: Active, Disabled, Report-Only, recently created or modified |
| 9 | + • Output: CSV file with 30+ core CA policy attributes |
| 10 | + • Column handling: Optional exclusion of empty columns |
| 11 | + • Authentication: Supports interactive and certificate-based Graph auth |
| 12 | + • Progress: Includes progress bar with per-policy feedback |
| 13 | + • Performance: Caches display names and uses optimized object creation |
| 14 | + • Reliability: Verifies module presence and avoids redundant imports |
14 | 15 | .PARAMETER ActiveCAPoliciesOnly |
15 | | - Switch – export only policies whose **State** is *Enabled*. |
| 16 | + Only include policies whose State is Enabled. |
16 | 17 | .PARAMETER DisabledCAPoliciesOnly |
17 | | - Switch – export only policies whose **State** is *Disabled*. |
| 18 | + Only include policies whose State is Disabled. |
18 | 19 | .PARAMETER ReportOnlyMode |
19 | | - Switch – export only policies whose **State** is *EnabledForReportingButNotEnforced*. |
| 20 | + Only include policies in report-only mode. |
20 | 21 | .PARAMETER RecentlyCreatedCAPolicies |
21 | | - Integer – include only those policies created in the past *N* days. |
| 22 | + Include only policies created within the past N days. |
22 | 23 | .PARAMETER RecentlyModifiedCAPolicies |
23 | | - Integer – include only those policies modified in the past *N* days. |
| 24 | + Include only policies modified within the past N days. |
24 | 25 | .PARAMETER CreateSession |
25 | | - Switch – disconnect any existing Microsoft Graph session before reconnecting. |
| 26 | + Force disconnection and re-authentication to Microsoft Graph. |
26 | 27 | .PARAMETER TenantId |
27 | | - String – Azure AD tenant GUID (required for certificate-based/app-only auth). |
| 28 | + Directory (tenant) ID for Graph auth (used with ClientId and CertificateThumbprint). |
28 | 29 | .PARAMETER ClientId |
29 | | - String – Application (client) ID for certificate-based authentication. |
| 30 | + Application (client) ID for certificate-based Graph auth. |
30 | 31 | .PARAMETER CertificateThumbprint |
31 | | - String – Thumbprint of the certificate associated with the ClientId. |
| 32 | + Thumbprint of the certificate used for app-only authentication. |
| 33 | +.PARAMETER OutputDirectory |
| 34 | + Directory path for the generated CSV file. Default: "$PSScriptRoot\Output" |
| 35 | +.PARAMETER OutputFileName |
| 36 | + File name for the output. Default: "CA_Policies_Report_<timestamp>.csv" |
| 37 | +.PARAMETER IncludeEmptyColumns |
| 38 | + Switch to include columns that are empty across all results. |
32 | 39 | .NOTES |
33 | 40 | Author: Travis McDade |
34 | | - Date: 08/08/2025 |
35 | | - Version: 0.2.0 |
36 | | - Original Source |
37 | | - Author : RapidScripter |
38 | | - URL : https://github.com/RapidScripter/export-conditional-access-policies |
39 | | - Script : Export-CAPolicies.ps1 |
| 41 | + Last Updated: 08/08/2025 |
| 42 | + Version: 0.4.0 |
| 43 | + Original Source: |
| 44 | + Author: RapidScripter |
| 45 | + URL : https://github.com/RapidScripter/export-conditional-access-policies |
40 | 46 | Revision History: |
41 | | - 0.2.0 – 08/08/2025 – Initial adaptation and add attribution. |
42 | | - 0.1.0 – 06/30/2024 – Upstream version by RapidScripter. |
43 | | -Future Enhancements: |
44 | | - - None |
45 | | -Known Issues: |
46 | | - - None |
47 | | -Resources: |
48 | | - - None |
| 47 | + 0.4.0 – 08/08/2025 – Refactor for efficiency, object creation, join-logic, header handling |
| 48 | + 0.3.0 – 08/07/2025 – Column pruning and ordered header logic |
| 49 | + 0.2.0 – 08/06/2025 – Progress integration and parameter enhancements |
| 50 | + 0.1.0 – 06/30/2024 – Initial version from upstream |
49 | 51 | #> |
50 | 52 |
|
51 | 53 | param |
|
0 commit comments