| applicable | Security & Compliance |
|---|---|
| external help file | Microsoft.Exchange.TransportMailflow-Help.xml |
| Locale | en-US |
| Module Name | ExchangePowerShell |
| online version | https://learn.microsoft.com/powershell/module/exchangepowershell/set-deviceconditionalaccesspolicy |
| schema | 2.0.0 |
| title | Set-DeviceConditionalAccessPolicy |
This cmdlet is available only in Security & Compliance PowerShell. For more information, see Security & Compliance PowerShell.
Use the Set-DeviceConditionalAccessPolicy cmdlet to modify mobile device conditional access policies in Basic Mobility and Security in Microsoft 365.
For information about the parameter sets in the Syntax section below, see Exchange cmdlet syntax.
Set-DeviceConditionalAccessPolicy [-Identity] <PolicyIdParameter>
[-RetryDistribution]
[-Confirm]
[-WhatIf]
[<CommonParameters>]
Set-DeviceConditionalAccessPolicy [-Identity] <PolicyIdParameter>
[-Comment <String>]
[-Enabled <Boolean>]
[-Force]
[-Confirm]
[-WhatIf]
[<CommonParameters>]
The cmdlets in Basic Mobility and Security are described in the following list:
- DeviceTenantPolicy and DeviceTenantRule cmdlets: A policy that defines whether to block or allow mobile device access to Exchange Online email by unsupported devices that use Exchange ActiveSync only. This setting applies to all users in your organization. Both allow and block scenarios allow reporting for unsupported devices, and you can specify exceptions to the policy based on security groups.
- DeviceConditionalAccessPolicy and DeviceConditionalAccessRule cmdlets: Policies that control mobile device access to Microsoft 365 for supported devices. These policies are applied to security groups. Unsupported devices are not allowed to enroll in Basic Mobility and Security.
- DeviceConfigurationPolicy and DeviceConfigurationRule cmdlets: Policies that control mobile device settings for supported devices. These policies are applied to security groups.
- Get-DevicePolicy: Returns all Basic Mobility and Security policies regardless of type (DeviceTenantPolicy, DeviceConditionalAccessPolicy or DeviceConfigurationPolicy).
For more information about Basic Mobility and Security, see Overview of Basic Mobility and Security for Microsoft 365.
To use this cmdlet in Security & Compliance PowerShell, you need to be assigned permissions. For more information, see Permissions in the Microsoft Defender portal or Permissions in the Microsoft Purview compliance portal.
Set-DeviceConditionalAccessPolicy -Identity Executives -Enabled $falseThis example disables the existing mobile device conditional access policy named Executives.
Applicable: Security & Compliance
The Identity parameter specifies the mobile device conditional access policy that you want to modify. You can use any value that uniquely identifies the policy. For example:
- Name
- Distinguished name (DN)
- GUID
Type: PolicyIdParameter
Parameter Sets: (All)
Aliases:
Required: True
Position: 1
Default value: None
Accept pipeline input: True
Accept wildcard characters: FalseApplicable: Security & Compliance
This parameter is reserved for internal Microsoft use.
Type: SwitchParameter
Parameter Sets: RetryDistribution
Aliases:
Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: FalseApplicable: Security & Compliance
The Comment parameter specifies an optional comment. If you specify a value that contains spaces, enclose the value in quotation marks ("), for example: "This is an admin note".
Type: String
Parameter Sets: Identity
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: FalseApplicable: Security & Compliance
The Confirm switch specifies whether to show or hide the confirmation prompt. How this switch affects the cmdlet depends on if the cmdlet requires confirmation before proceeding.
- Destructive cmdlets (for example, Remove-* cmdlets) have a built-in pause that forces you to acknowledge the command before proceeding. For these cmdlets, you can skip the confirmation prompt by using this exact syntax:
-Confirm:$false. - Most other cmdlets (for example, New-* and Set-* cmdlets) don't have a built-in pause. For these cmdlets, specifying the Confirm switch without a value introduces a pause that forces you acknowledge the command before proceeding.
Type: SwitchParameter
Parameter Sets: (All)
Aliases: cf
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: FalseApplicable: Security & Compliance
The Enabled parameter specifies whether the policy is enabled. Valid values are:
- $true: The policy is enabled. This value is the default.
- $false: The policy is disabled.
Type: Boolean
Parameter Sets: Identity
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: FalseApplicable: Security & Compliance
The Force switch hides warning or confirmation messages. You don't need to specify a value with this switch.
You can use this switch to run tasks programmatically where prompting for administrative input is inappropriate.
Type: SwitchParameter
Parameter Sets: Identity
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: FalseApplicable: Security & Compliance
The WhatIf switch doesn't work in Security & Compliance PowerShell.
Type: SwitchParameter
Parameter Sets: (All)
Aliases: wi
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: FalseThis cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.