Conditional Access policies, at their simplest, are if-then statements. If a user wants to access a resource, they must complete an action. Conditional Access contains many settings, and they can complement each other. Conditional Access contains many settings, and they can complement each other. Misconfiguration can take place when having multiple Conditional Access policies, or missing policies can occur. I created a PowerShell script for companies to validate their Conditional Access configuration.
When forcing Multi-Factor Authentication using Conditional Access, some companies forget to create a policy to disable Legacy Authentication, making the environment less secure since Legacy Authentication does not support Multi-Factor Authentication. The PowerShell script gives you an overview of how a user can log in to the environment.
The PowerShell script validates the following settings, including Multi-Factor Authentication:
|Conditional Access Policy Setting||Option||Multi-Factor Authentication|
|Device Platform||Windows Phone||V|
|Client Apps||Exchange Active Sync||X|
Configuring Conditional Access can be a challenge. Most companies forget to create a Conditional Access policy to blocks Legacy Authentication when forcing Multi-Factor Authentication or forget to disable “Other” clients when allowing a set of Device Platforms. Using this PowerShell script hopefully helps to validate the Conditional Access policy settings.