Skip to main content

Test-MtConditionalAccessWhatIf

SYNOPSIS

Tests Conditional Access evaluation with What If for a given scenario.

SYNTAX

ApplicationBasedCA (Default)

Test-MtConditionalAccessWhatIf [-UserId] <String> -IncludeApplications <String[]> [-DevicePlatform <String>]
[-ClientAppType <String>] [-SignInRiskLevel <String>] [-UserRiskLevel <String>] [-Country <String>]
[-IpAddress <String>] [-AllResults] [-ProgressAction <ActionPreference>] [<CommonParameters>]

UserActionBasedCA

Test-MtConditionalAccessWhatIf [-UserId] <String> [-UserAction <String[]>] [-DevicePlatform <String>]
[-ClientAppType <String>] [-SignInRiskLevel <String>] [-UserRiskLevel <String>] [-Country <String>]
[-IpAddress <String>] [-AllResults] [-ProgressAction <ActionPreference>] [<CommonParameters>]

DESCRIPTION

This function tests a Conditional Access evaluation with What If for a given scenario.

The function uses the Microsoft Graph API to evaluate the Conditional Access policies.

Learn more: https://learn.microsoft.com/entra/identity/conditional-access/what-if-tool

EXAMPLES

EXAMPLE 1

Test-MtConditionalAccessWhatIf -UserId 7a6da1c3-616a-416b-a820-cbe4fa8e225e `
-IncludeApplications "00000002-0000-0ff1-ce00-000000000000" `
-ClientAppType exchangeActiveSync

This example tests the Conditional Access policies for a user signing into Exchange Online using a legacy Mail client that relies on basic authentication.

EXAMPLE 2

Test-MtConditionalAccessWhatIf -UserId 7a6da1c3-616a-416b-a820-cbe4fa8e225e `
-UserAction registerOrJoinDevices

This example tests the Conditional Access policies for a user registering or joining a device to Microsoft Entra.

EXAMPLE 3

Test-MtConditionalAccessWhatIf -UserId 7a6da1c3-616a-416b-a820-cbe4fa8e225e `
-IncludeApplications '67ad5377-2d78-4ac2-a867-6300cda00e85' `
-Country FR -IpAddress '92.205.185.202'

This example tests the Conditional Access policies for a user signing into Office 365 from France with a specific IP address.

EXAMPLE 4

Test-MtConditionalAccessWhatIf -UserId 7a6da1c3-616a-416b-a820-cbe4fa8e225e `
-IncludeApplications '67ad5377-2d78-4ac2-a867-6300cda00e85' `
-SignInRiskLevel High -DevicePlatform iOS

This example tests the Conditional Access policies for a user signing into Office 365 from an iOS device with a High sign-in risk level.

EXAMPLE 5

Test-MtConditionalAccessWhatIf -UserId 7a6da1c3-616a-416b-a820-cbe4fa8e225e `
-UserAction registerSecurityInformation `
-DevicePlatform Android `
-UserRiskLevel High

This example tests the Conditional Access policies for a user accessing the My Security Info page from an Android device with a High user risk level.

PARAMETERS

-UserId

The id of the user sign-in that is being tested. Must be a valid userId (GUID). UserId can be looked up by $id = (Get-MgUser -UserId '[email protected]').id

Type: String
Parameter Sets: (All)
Aliases:

Required: True
Position: 1
Default value: None
Accept pipeline input: True (ByPropertyName, ByValue)
Accept wildcard characters: False

-IncludeApplications

The id of the application the user is signing into. Must be a valid application ID (GUID) Application ID can be looked up from from the sign in logs. The id of the Office 365 application is '67ad5377-2d78-4ac2-a867-6300cda00e85'

Type: String[]
Parameter Sets: ApplicationBasedCA
Aliases:

Required: True
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-UserAction

The user action that should be tested. Values can be registerOrJoinDevices or registerSecurityInformation

Type: String[]
Parameter Sets: UserActionBasedCA
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-DevicePlatform

Device platform to be used for the test. Values can be all, Android, iOS, windows, windowsPhone, macOS, linux

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-ClientAppType

The client app used by the user. Values can be browser, mobileAppsAndDesktopClients, exchangeActiveSync, easSupported, other

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-SignInRiskLevel

Sign-in risk level for the test. Values can be None, Low, Medium, High

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-UserRiskLevel

User risk level for the test. Values can be None, Low, Medium, High

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-Country

Country to be used for the test. The two-letter country code.

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-IpAddress

IP address to be used for the test. e.g. 10.142.84.49

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

-AllResults

Output all results

Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False

-ProgressAction

{{ Fill ProgressAction Description }}

Type: ActionPreference
Parameter Sets: (All)
Aliases: proga

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

INPUTS

OUTPUTS

System.Object

NOTES