In September 2018, Microsoft introduced the concept of Conditional Access baseline policies. Baseline policies were superseded by Security Defaults, and starting February 2020 the Baseline Conditional Access policies were disabled in all Azure AD tenants. However, these lingering baseline policies are all Off and cannot be turned on. They can also not be removed from the Azure AD Portal. With the advent of the Conditional Access API, however, there is now a way.
The process
The process of removing the Conditional Access Baseline Policies in your Azure AD tenant consists of the following steps:
- Make a backup of all Conditional Access policies your organization uses
- Delete all Conditional Access policies
- Turn on Security Defaults
- Turn off Security Defaults
- Restore the Conditional Access policies your organization uses
For steps 1,2 and 5, we’ll use PowerShell. My colleague Barbara Forbes has created a great HOWTO on working with the Conditional Access APIs and we'll use that information to do the job.
Getting Ready
Before we can work with the Conditional Access policies in Windows PowerShell, we need to make sure we meet the requirements:
- We need a system with appropriate network connectivity and at least Windows PowerShell 5.
- We need at least version 2.0.2.106 of the Azure AD PowerShell module installed. You can install it using the following line of Windows PowerShell:Install-Module AzureAD -Force
Note:
If your Conditional Access policies contain conditions that are labeled as Preview in the Azure Management experience, you will need to use the AzureADPreview Windows PowerShell module, instead of the AzureAD Windows PowerShell module, as the AzureAD module will not return any Conditional Access policies with Preview conditions configured.
- On devices with PowerShell 5, you’ll need to import the AzureAD PowerShell module using the following line of Windows PowerShell:Import-Module AzureADOn devices with PowerShell 7 and beyond, you’ll need to import the AzureAD PowerShell module using the following line of Windows PowerShell:
Import-Module AzureAD -UseWindowsPowerShell
Make a backup of all Conditional Access policies
To make a backup of all Conditional Access Policies your organization uses, change to a directory where you want to store the backups of the Conditional Access polciies and run the following lines of Windows PowerShell:
Connect-AzureAD
Sign in with an account that has the Global administrator role or Conditional Access administrator role assigned.
Then perform the following lines of Windows PowerShell:
$AllPolicies = Get-AzureADMSConditionalAccessPolicy
foreach ($Policy in $AllPolicies) {
Write-Output "Backing up $($Policy.DisplayName)"
$PolicyJSON = $Policy | ConvertTo-Json -Depth 6
$PolicyJSON | Out-File "$($Policy.Id).json"
}
Delete all Conditional Access policies
To be able to turn on the Security Defaults feature, we need to delete all Conditional Access policies. This is required.
In the same Windows PowerShell window you used to execute the previous lines of Windows PowerShell, execute the following line of Windows PowerShell:
Get-AzureADMSConditionalAccessPolicy | Remove-AzureADMSConditionalAccessPolicy
Turn on Security Defaults
To turn on the Security Defaults feature, perform the following actions:
- Open your web browser and navigate to the Azure AD Portal.
- Sign in with an account with the Global administrator role or Conditional Access administrator role.
Perform multi-factor authentication when prompted. - In the left navigation menu, click on Azure Active Directory.
- In Azure Active Directory’s menu, click on Properties.
- At the bottom of the Properties pane, follow the Manage Security defaults link.
The Enable Security defaults blade appears:![Enable Security defaults]( "Enable Security defaults")
- In the Enable Security defaults blade, change the Enable Security defaults option from No to Yes.
- Click the Save button at the bottom of the blade.
Turn off Security Defaults
Next, perform the following action to turn the Security Defaults feature off again:
-
- In the Enable Security defaults blade, change the
Enable Security defaults option from Yes to No. - Click the Save button at the bottom of the blade.
- Close the web browser.
- In the Enable Security defaults blade, change the
Restore the Conditional Access policies
In the same Windows PowerShell window you used to execute the previous lines of Windows PowerShell, execute the following line of Windows PowerShell to restore the Conditional Access policies:
$BackupJsons = Get-ChildItem -Recurse -Include *.json
foreach ($Json in $BackupJsons) {
$policy = Get-Content $Json.FullName | ConvertFrom-Json
$policy.DisplayName
[Microsoft.Open.MSGraph.Model.ConditionalAccessConditionSet]$Conditions = $Policy.Conditions
[Microsoft.Open.MSGraph.Model.ConditionalAccessGrantControls]$GrantControls = $Policy.GrantControls
[Microsoft.Open.MSGraph.Model.ConditionalAccessSessionControls]$SessionControls = $Policy.SessionControls
$OldUsers = $Policy.Conditions.Users
$UserMembers = $OldUsers | Get-Member -MemberType NoteProperty
$Users = New-Object Microsoft.Open.MSGraph.Model.ConditionalAccessUserCondition
foreach ($member in $UserMembers) {
if (-not[string]::IsNullOrEmpty($OldUsers.$($member.Name))) {
$Users.($member.Name) = ($OldUsers.$($member.Name))
}
}
$Conditions.Users = $Users
$OldApplications = $Policy.Conditions.Applications
$ApplicationMembers = $OldApplications | Get-Member -MemberType NoteProperty
$Applications = New-Object Microsoft.Open.MSGraph.Model.ConditionalAccessApplicationCondition
foreach ($member in $ApplicationMembers) {
if (-not[string]::IsNullOrEmpty($OldApplications.$($member.Name))) {
$Applications.($member.Name) = ($OldApplications.$($member.Name))
}
}
$Conditions.Applications = $Applications
$Parameters = @{
DisplayName = $Policy.DisplayName
State = $Policy.State
Conditions = $Conditions
GrantControls = $GrantControls
SessionControls = $SessionControls
}
$null = New-AzureADMSConditionalAccessPolicy @Parameters
}
Concluding
With the advent of the Conditional Access APIs, we now have a way to get rid of the Conditional Access Baseline Policies. In the process, we also make a backup of the Conditional Access policies, which is a good thing.
Further reading
Assessing the impact that the new Baseline Policy for Admins in Azure AD might have
KnowledgeBase: Users receive an error when registering MFA when Security Defaults are enabled and the mobile app verification options are disabled
KnowledgeBase: App Passwords are only available to users with a non-Conditional Access MFA requirement
TODO: Move from per-user MFA to Conditional Access
The post HOWTO: Get rid of the Conditional Access Baseline Policies in your Azure AD tenant appeared first on The things that are better left unspoken.