Microsoft Azure AD Conditional Access Validator

Conditional Access policies, at their simplest, are if-then statements. If a user wants to access a resource, they must complete an action. Conditional Access contains many settings, and they can complement each other. Conditional Access contains many settings, and they can complement each other. Misconfiguration can take place when having multiple Conditional Access policies, or missing policies can occur. I created a PowerShell script for companies to validate their Conditional Access configuration.

When forcing Multi-Factor Authentication using Conditional Access, some companies forget to create a policy to disable Legacy Authentication, making the environment less secure since Legacy Authentication does not support Multi-Factor Authentication. The PowerShell script gives you an overview of how a user can log in to the environment.

PowerShell Script

The PowerShell script validates the following settings, including Multi-Factor Authentication:

Conditional Access Policy SettingOptionMulti-Factor Authentication
Cloud AppsPowerShellX
Device PlatformAndroidV
Device PlatformiOSV
Device PlatformWindows PhoneV
Device PlatformWindowsV
Device PlatformmacOSV
Device PlatformOtherV
Client AppsExchange Active SyncX
Table 1: PowerShell Script validations
Image 1: CheckAll function
Image 2: CheckLegacyAuth function

Visit my GitHub page for the PowerShell script, and please add any feature requests or issues if there are any.


Configuring Conditional Access can be a challenge. Most companies forget to create a Conditional Access policy to blocks Legacy Authentication when forcing Multi-Factor Authentication or forget to disable “Other” clients when allowing a set of Device Platforms. Using this PowerShell script hopefully helps to validate the Conditional Access policy settings.