Conditional Access policies, at their simplest, are if-then statements. If a user wants to access a resource, they must complete an action. Conditional Access contains many settings, and they can complement each other. Conditional Access contains many settings, and they can complement each other. Misconfiguration can take place when having multiple Conditional Access policies, or missing policies can occur. I created a PowerShell script for companies to validate their Conditional Access configuration.
When forcing Multi-Factor Authentication using Conditional Access, some companies forget to create a policy to disable Legacy Authentication, making the environment less secure since Legacy Authentication does not support Multi-Factor Authentication. The PowerShell script gives you an overview of how a user can log in to the environment.
PowerShell Script
The PowerShell script validates the following settings, including Multi-Factor Authentication:
| Conditional Access Policy Setting | Option | Multi-Factor Authentication |
| Cloud Apps | PowerShell | X |
| Device Platform | Android | V |
| Device Platform | iOS | V |
| Device Platform | Windows Phone | V |
| Device Platform | Windows | V |
| Device Platform | macOS | V |
| Device Platform | Other | V |
| Client Apps | Exchange Active Sync | X |
Visit my GitHub page for the PowerShell script, and please add any feature requests or issues if there are any.
Conclusion
Configuring Conditional Access can be a challenge. Most companies forget to create a Conditional Access policy to blocks Legacy Authentication when forcing Multi-Factor Authentication or forget to disable “Other” clients when allowing a set of Device Platforms. Using this PowerShell script hopefully helps to validate the Conditional Access policy settings.
Microsoft Security Blog 