Skip to main content

Test-MtConditionalAccessWhatIf

SYNOPSIS

Tests Conditional Access evaluation with What If for a given scenario.

SYNTAX

ApplicationBasedCA (Default)

Test-MtConditionalAccessWhatIf [-UserId] <String> -IncludeApplications <String[]> [-DevicePlatform <String>]
 [-ClientAppType <String>] [-SignInRiskLevel <String>] [-UserRiskLevel <String>] [-InsiderRiskLevel <String>]
 [-ServicePrincipalRiskLevel <String>] [-DeviceInfo <Hashtable>] [-Country <String>] [-IpAddress <String>]
 [-AllResults] [-ProgressAction <ActionPreference>] [<CommonParameters>]

UserActionBasedCA

Test-MtConditionalAccessWhatIf [-UserId] <String> [-UserAction <String[]>] [-DevicePlatform <String>]
 [-ClientAppType <String>] [-SignInRiskLevel <String>] [-UserRiskLevel <String>] [-InsiderRiskLevel <String>]
 [-ServicePrincipalRiskLevel <String>] [-DeviceInfo <Hashtable>] [-Country <String>] [-IpAddress <String>]
 [-AllResults] [-ProgressAction <ActionPreference>] [<CommonParameters>]

DESCRIPTION

This function tests a Conditional Access evaluation with What If for a given scenario.

The function uses the Microsoft Graph API to evaluate the Conditional Access policies.

Learn more: https://learn.microsoft.com/entra/identity/conditional-access/what-if-tool https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.beta.identity.signins/test-mgbetaidentityconditionalaccess?view=graph-powershell-beta

EXAMPLES

EXAMPLE 1

Test-MtConditionalAccessWhatIf -UserId '7a6da1c3-616a-416b-a820-cbe4fa8e225e' `
    -IncludeApplications '00000002-0000-0ff1-ce00-000000000000' `
    -ClientAppType 'exchangeActiveSync'

This example tests the Conditional Access policies for a user signing into Exchange Online using a legacy Mail client that relies on basic authentication.

EXAMPLE 2

Test-MtConditionalAccessWhatIf -UserId '7a6da1c3-616a-416b-a820-cbe4fa8e225e' `
    -UserAction 'registerOrJoinDevices'

This example tests the Conditional Access policies for a user registering or joining a device to Microsoft Entra.

EXAMPLE 3

Test-MtConditionalAccessWhatIf -UserId '7a6da1c3-616a-416b-a820-cbe4fa8e225e' `
    -IncludeApplications '67ad5377-2d78-4ac2-a867-6300cda00e85' `
    -Country 'FR' -IpAddress '92.205.185.202'

This example tests the Conditional Access policies for a user signing into Office 365 from France with a specific IP address.

EXAMPLE 4

Test-MtConditionalAccessWhatIf -UserId '7a6da1c3-616a-416b-a820-cbe4fa8e225e' `
    -IncludeApplications '67ad5377-2d78-4ac2-a867-6300cda00e85' `
    -SignInRiskLevel 'High' -DevicePlatform 'iOS'

This example tests the Conditional Access policies for a user signing into Office 365 from an iOS device with a High sign-in risk level.

EXAMPLE 5

Test-MtConditionalAccessWhatIf -UserId '7a6da1c3-616a-416b-a820-cbe4fa8e225e' `
    -IncludeApplications 'bbad9299-f060-4e15-9a9a-285980ae00fc' `
    -DeviceInfo { 'isCompliant' = 'true'; 'Manufacturer' = 'Dell' } `
    -InsiderRiskLevel 'Minor'

This example tests the Conditional Access policies for a user accessing an application from a compliant, Dell device with a Minor insider risk level.

EXAMPLE 6

Test-MtConditionalAccessWhatIf -UserId '7a6da1c3-616a-416b-a820-cbe4fa8e225e' `
    -IncludeApplications 'a7936c39-024c-4148-a9b3-f88f2e9406f6' `
    -ServicePrincipalRiskLevel 'High' -Verbose

This example tests the Conditional Access policies for a service principal user accessing the application with a High service principal risk level. It will return all applied results, including the report-only and disabled policies.

PARAMETERS

-UserId

The id of the user sign-in that is being tested. Must be a valid userId (GUID). UserId can be looked up by $id = (Get-MgUser -UserId '[email protected]').id

Type: String
Parameter Sets: (All)
Aliases:

Required: True
Position: 1
Default value: None
Accept pipeline input: True (ByPropertyName, ByValue)
Accept wildcard characters: False

-IncludeApplications

The id of the application the user is signing into. Must be a valid application ID (GUID) Application ID can be looked up from from the sign in logs. The id of the Office 365 application is '67ad5377-2d78-4ac2-a867-6300cda00e85'

Type: String[]
Parameter Sets: ApplicationBasedCA
Aliases:

Required: True
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-UserAction

The user action that should be tested. Values can be registerOrJoinDevices or registerSecurityInformation

Type: String[]
Parameter Sets: UserActionBasedCA
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-DevicePlatform

Device platform to be used for the test. Values can be all, Android, iOS, windows, windowsPhone, macOS, linux

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-ClientAppType

The client app used by the user. Values can be browser, mobileAppsAndDesktopClients, exchangeActiveSync, easSupported, other

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-SignInRiskLevel

Sign-in risk level for the test. Values can be None, Low, Medium, High

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-UserRiskLevel

User risk level for the test. Values can be None, Low, Medium, High

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-InsiderRiskLevel

Insider risk level for the test. Values can be Minor, Moderate, Elevated

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-ServicePrincipalRiskLevel

Service Principal risk level for the test. Values can be None, Low, Medium, High

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-DeviceInfo

[(Any) <Object>]: This indicates any property can be added to this object. [DeviceId <String>]: [DisplayName <String>]: [EnrollmentProfileName <String>]: [ExtensionAttribute1 <String>]: [ExtensionAttribute10 <String>]: [ExtensionAttribute11 <String>]: [ExtensionAttribute12 <String>]: [ExtensionAttribute13 <String>]: [ExtensionAttribute14 <String>]: [ExtensionAttribute15 <String>]: [ExtensionAttribute2 <String>]: [ExtensionAttribute3 <String>]: [ExtensionAttribute4 <String>]: [ExtensionAttribute5 <String>]: [ExtensionAttribute6 <String>]: [ExtensionAttribute7 <String>]: [ExtensionAttribute8 <String>]: [ExtensionAttribute9 <String>]: [IsCompliant <Boolean?>]: [Manufacturer <String>]: [MdmAppId <String>]: [Model <String>]: [OperatingSystem <String>]: [OperatingSystemVersion <String>]: [Ownership <String>]: [PhysicalIds <String []>]: [ProfileType <String>]: [SystemLabels <String []>]: [TrustType <String>]:

Type: Hashtable
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-Country

Country to be used for the test. The two-letter country code.

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-IpAddress

IP address to be used for the test. e.g. 10.142.84.49

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-AllResults

Output all results, not only the applied policies.

Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-ProgressAction

{{ Fill ProgressAction Description }}

Type: ActionPreference
Parameter Sets: (All)
Aliases: proga

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

INPUTS

OUTPUTS

System.Object

NOTES

https://maester.dev/docs/commands/Test-MtConditionalAccessWhatIf