Skip to content

Commit 145170e

Browse files
SteveMutungi254stevemutungimsewaweru
authored
[Modularize] Example improvements - SignIns category (#1310)
* Example improvements * Update module/docs/entra-powershell-beta/SignIns/New-EntraBetaConditionalAccessPolicy.md Co-authored-by: Eunice Waweru <73849846+msewaweru@users.noreply.github.com> * Update module/docs/entra-powershell-beta/SignIns/New-EntraBetaFeatureRolloutPolicy.md Co-authored-by: Eunice Waweru <73849846+msewaweru@users.noreply.github.com> * Adding absolute path. --------- Co-authored-by: stevemutungi <stevemutungi@microsoft.com> Co-authored-by: Eunice Waweru <73849846+msewaweru@users.noreply.github.com>
1 parent e33c7cf commit 145170e

50 files changed

Lines changed: 476 additions & 664 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

module/docs/entra-powershell-beta/SignIns/Get-EntraBetaAuthorizationPolicy.md

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -44,6 +44,16 @@ Get-EntraBetaAuthorizationPolicy
4444

4545
The `Get-EntraBetaAuthorizationPolicy` cmdlet gets a Microsoft Entra ID authorization policy.
4646

47+
In delegated scenarios with work or school accounts, the signed-in user must have a supported Microsoft Entra role or custom role with the required permissions. The least privileged roles for this operation are:
48+
49+
- Global Reader
50+
- Security Reader
51+
- Security Operator
52+
- Security Administrator
53+
- Cloud Device Administrator
54+
- License Administrator
55+
- Privileged Role Administrator
56+
4757
## Examples
4858

4959
### Example 1: Get all policies

module/docs/entra-powershell-beta/SignIns/Get-EntraBetaConditionalAccessPolicy.md

Lines changed: 13 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -47,6 +47,14 @@ This cmdlet allows an admin to get the Microsoft Entra ID conditional access pol
4747

4848
Conditional access policies are custom rules that define an access scenario.
4949

50+
In delegated scenarios involving work or school accounts, the signed-in user must have a Microsoft Entra role or a custom role with the required permissions to act on behalf of another user. The following least privileged roles support this operation:
51+
52+
- Global Secure Access Administrator (read standard properties)
53+
- Security Reader (read standard properties)
54+
- Security Administrator (read standard properties)
55+
- Global Reader
56+
- Conditional Access Administrator
57+
5058
## Examples
5159

5260
### Example 1: Retrieves a list of all conditional access policies in Microsoft Entra ID
@@ -70,13 +78,14 @@ This example retrieves a list of all conditional access policies in Microsoft En
7078

7179
```powershell
7280
Connect-Entra -Scopes 'Policy.Read.All'
73-
Get-EntraBetaConditionalAccessPolicy -PolicyId 'eeeeeeee-4444-5555-6666-ffffffffffff'
81+
$policy = Get-EntraBetaConditionalAccessPolicy | Where-Object {$_.DisplayName -eq 'Multifactor authentication for Contoso partners and vendors'}
82+
Get-EntraBetaConditionalAccessPolicy -PolicyId $policy.Id
7483
```
7584

7685
```Output
77-
Id CreatedDateTime Description DisplayName ModifiedDateTime State
78-
-- --------------- ----------- ----------- ---------------- -----
79-
eeeeeeee-4444-5555-6666-ffffffffffff 2/27/2024 6:23:21 AM ConditionalAccessPolicy 2/29/2024 2:41:17 PM disabled
86+
Id CreatedDateTime Description DisplayName ModifiedDateTime State TemplateId
87+
-- --------------- ----------- ----------- ---------------- ----- ----------
88+
eeeeeeee-4444-5555-6666-ffffffffffff 2/27/2024 6:23:21 AM Multifactor authentication 2/29/2024 2:41:17 PM disabled
8089
```
8190

8291
This example retrieves a specified conditional access policy in Microsoft Entra ID.

module/docs/entra-powershell-beta/SignIns/Get-EntraBetaFeatureRolloutPolicy.md

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -78,7 +78,8 @@ This command retrieves a list of all cloud authentication roll-out policies in M
7878

7979
```powershell
8080
Connect-Entra -Scopes 'Directory.ReadWrite.All'
81-
Get-EntraBetaFeatureRolloutPolicy -Id 'aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb'
81+
$policy = Get-EntraBetaFeatureRolloutPolicy -Filter "DisplayName eq 'FeatureRolloutPolicy'"
82+
Get-EntraBetaFeatureRolloutPolicy -Id $policy.Id
8283
```
8384

8485
```Output

module/docs/entra-powershell-beta/SignIns/Get-EntraBetaNamedLocationPolicy.md

Lines changed: 11 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -48,6 +48,14 @@ This cmdlet allows an admin to get the Microsoft Entra ID named location policie
4848

4949
Named locations are custom rules that define network locations, which can then be used in a Conditional Access policy.
5050

51+
In delegated scenarios with work or school accounts, when acting on another user, the signed-in user must have a supported Microsoft Entra role or custom role with the required permissions. The least privileged roles for this operation are:
52+
53+
- Global Secure Access Administrator (read-only standard properties)
54+
- Security Reader (read-only standard properties)
55+
- Security Administrator (read-only standard properties)
56+
- Global Reader
57+
- Conditional Access Administrator
58+
5159
## Examples
5260

5361
### Example 1: Retrieves a list of all named location policies in Microsoft Entra ID
@@ -72,13 +80,14 @@ This command retrieves a list of all named location policies in Microsoft Entra
7280

7381
```powershell
7482
Connect-Entra -Scopes 'Policy.Read.All'
75-
Get-EntraBetaNamedLocationPolicy -PolicyId 'dddddddd-3333-4444-5555-eeeeeeeeeeee'
83+
$policy = Get-EntraBetaNamedLocationPolicy | Where-Object {$_.DisplayName -eq 'Provisioning Workers'}
84+
Get-EntraBetaNamedLocationPolicy -PolicyId $policy.Id
7685
```
7786

7887
```Output
7988
Id CreatedDateTime DisplayName ModifiedDateTime
8089
-- --------------- ----------- ----------------
81-
dddddddd-3333-4444-5555-eeeeeeeeeeee 31/07/2024 9:53:10 NamedLocation 31/07/2024 9:53:10
90+
dddddddd-3333-4444-5555-eeeeeeeeeeee 31/07/2024 9:53:10 Provisioning.. 31/07/2024 9:53:10
8291
```
8392

8493
This example retrieves a specified named location policy in Microsoft Entra ID.

module/docs/entra-powershell-beta/SignIns/Get-EntraBetaPermissionGrantConditionSet.md

Lines changed: 7 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -56,13 +56,8 @@ Get a Microsoft Entra ID permission grant condition set object by ID.
5656

5757
```powershell
5858
Connect-Entra -Scopes 'Policy.Read.PermissionGrant'
59-
$permissionGrantPolicyId = 'policy1'
60-
$params = @{
61-
PolicyId = $permissionGrantPolicyId
62-
ConditionSetType = 'includes'
63-
}
64-
65-
Get-EntraBetaPermissionGrantConditionSet @params
59+
$permissionGrantPolicy = Get-EntraBetaPermissionGrantPolicy | Where-Object {$_.Id -eq 'my-custom-consent-policy'}
60+
Get-EntraBetaPermissionGrantConditionSet -PolicyId $permissionGrantPolicy.Id -ConditionSetType 'includes'
6661
```
6762

6863
```Output
@@ -80,13 +75,8 @@ This command gets all permission grant condition sets that are included in the p
8075

8176
```powershell
8277
Connect-Entra -Scopes 'Policy.Read.PermissionGrant'
83-
$permissionGrantPolicyId = 'policy1'
84-
$params = @{
85-
PolicyId = $permissionGrantPolicyId
86-
ConditionSetType = 'excludes'
87-
}
88-
89-
Get-EntraBetaPermissionGrantConditionSet @params
78+
$permissionGrantPolicy = Get-EntraBetaPermissionGrantPolicy | Where-Object {$_.Id -eq 'my-custom-consent-policy'}
79+
Get-EntraBetaPermissionGrantConditionSet -PolicyId $permissionGrantPolicy.Id -ConditionSetType 'excludes'
9080
```
9181

9282
```Output
@@ -105,14 +95,9 @@ This command gets all permission grant condition sets that are excluded in the p
10595

10696
```powershell
10797
Connect-Entra -Scopes 'Policy.Read.PermissionGrant'
108-
$permissionGrantPolicyId = 'policy1'
109-
$params = @{
110-
PolicyId = $permissionGrantPolicyId
111-
ConditionSetType = 'includes'
112-
Id = 'aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb'
113-
}
114-
115-
Get-EntraBetaPermissionGrantConditionSet @params
98+
$permissionGrantPolicy = Get-EntraBetaPermissionGrantPolicy | Where-Object {$_.Id -eq 'my-custom-consent-policy'}
99+
$conditionSet = Get-EntraBetaPermissionGrantConditionSet -PolicyId $permissionGrantPolicy.Id -ConditionSetType 'includes' | Where-Object {$_.PermissionType -eq 'delegated'}
100+
Get-EntraBetaPermissionGrantConditionSet -PolicyId $permissionGrantPolicy.Id -ConditionSetType 'includes' -Id $conditionSet.Id
116101
```
117102

118103
```Output

module/docs/entra-powershell-beta/SignIns/Get-EntraBetaPolicy.md

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -84,7 +84,8 @@ This example shows how to get a specific policy using Display Name.
8484

8585
```powershell
8686
Connect-Entra -Scopes 'Policy.Read.All'
87-
Get-EntraBetaPolicy -Id 'bbbbbbbb-1111-2222-3333-cccccccccccc'
87+
$policy = Get-EntraBetaPolicy | Where-Object {$_.DisplayName -eq 'Microsoft User Default Recommended Policy'}
88+
Get-EntraBetaPolicy -Id $policy.Id
8889
```
8990

9091
```Output

module/docs/entra-powershell-beta/SignIns/New-EntraBetaConditionalAccessPolicy.md

Lines changed: 17 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -44,12 +44,17 @@ This cmdlet allows an admin to create new conditional access policy in Microsoft
4444

4545
Conditional access policies are custom rules that define an access scenario.
4646

47+
In delegated scenarios with work or school accounts, when acting on another user, the signed-in user must have a supported Microsoft Entra role or custom role with the necessary permissions. The least privileged roles for this operation are:
48+
49+
- Security Administrator
50+
- Conditional Access Administrator
51+
4752
## Examples
4853

4954
### Example 1: Creates a new conditional access policy in Microsoft Entra ID that require MFA to access Exchange Online
5055

5156
```powershell
52-
Connect-Entra -Scopes 'Policy.ReadWrite.ConditionalAccess'
57+
Connect-Entra -Scopes 'Policy.ReadWrite.ConditionalAccess','Policy.Read.All'
5358
$conditions = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessConditionSet
5459
$conditions.Applications = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessApplicationCondition
5560
$conditions.Applications.IncludeApplications = '00000002-0000-0ff1-ce00-000000000000'
@@ -58,14 +63,7 @@ $conditions.Users.IncludeUsers = 'all'
5863
$controls = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessGrantControls
5964
$controls._Operator = 'OR'
6065
$controls.BuiltInControls = 'mfa'
61-
$params = @{
62-
DisplayName = 'MFA policy'
63-
State = 'Enabled'
64-
Conditions = $conditions
65-
GrantControls = $controls
66-
}
67-
68-
New-EntraBetaConditionalAccessPolicy @params
66+
New-EntraBetaConditionalAccessPolicy -DisplayName 'MFA policy' -State 'Enabled' -Conditions $conditions -GrantControls $controls
6967
```
7068

7169
```Output
@@ -85,7 +83,7 @@ This command creates a new conditional access policy in Microsoft Entra ID that
8583
### Example 2: Creates a new conditional access policy in Microsoft Entra ID that blocks access to Exchange Online from nontrusted regions
8684

8785
```powershell
88-
Connect-Entra -Scopes 'Policy.ReadWrite.ConditionalAccess'
86+
Connect-Entra -Scopes 'Policy.ReadWrite.ConditionalAccess','Policy.Read.All'
8987
$conditions = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessConditionSet
9088
$conditions.Applications = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessApplicationCondition
9189
$conditions.Applications.IncludeApplications = '00000002-0000-0ff1-ce00-000000000000'
@@ -97,14 +95,7 @@ $controls = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessG
9795
$controls._Operator = 'OR'
9896
$controls.BuiltInControls = 'block'
9997
100-
$params = @{
101-
DisplayName = 'MFA policy'
102-
State = 'Enabled'
103-
Conditions = $conditions
104-
GrantControls = $controls
105-
}
106-
107-
New-EntraBetaConditionalAccessPolicy @params
98+
New-EntraBetaConditionalAccessPolicy -DisplayName 'MFA policy' -State 'Enabled' -Conditions $conditions -GrantControls $controls
10899
```
109100

110101
```Output
@@ -123,7 +114,7 @@ This command creates a new conditional access policy in Microsoft Entra ID that
123114
### Example 3: Use all conditions and controls
124115

125116
```powershell
126-
Connect-Entra -Scopes 'Policy.ReadWrite.ConditionalAccess'
117+
Connect-Entra -Scopes 'Policy.ReadWrite.ConditionalAccess','Policy.Read.All'
127118
128119
$Condition = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessConditionSet
129120
$Condition.clientAppTypes = @("mobileAppsAndDesktopClients","browser")
@@ -140,13 +131,7 @@ $SessionControls = New-Object -TypeName Microsoft.Open.MSGraph.Model.Conditional
140131
$ApplicationEnforcedRestrictions = New-Object Microsoft.Open.MSGraph.Model.ConditionalAccessApplicationEnforcedRestrictions
141132
$ApplicationEnforcedRestrictions.IsEnabled = $true
142133
$SessionControls.applicationEnforcedRestrictions = $ApplicationEnforcedRestrictions
143-
$params = @{
144-
DisplayName = "ConditionalAccessPolicy"
145-
Conditions = $conditions
146-
GrantControls = $controls
147-
SessionControls = $SessionControls
148-
}
149-
New-EntraBetaConditionalAccessPolicy @params
134+
New-EntraBetaConditionalAccessPolicy -DisplayName 'MFA policy' -SessionControls $SessionControls -Conditions $conditions -GrantControls $controls
150135
```
151136

152137
```Output
@@ -302,6 +287,12 @@ This cmdlet supports the common parameters: `-Debug`, `-ErrorAction`, `-ErrorVar
302287

303288
## Notes
304289

290+
291+
[Condition access policy](https://learn.microsoft.com/graph/api/resources/conditionalaccesspolicy)
292+
[Built controls](https://learn.microsoft.com/graph/api/resources/conditionalaccessgrantcontrols)
293+
[Conditions](https://learn.microsoft.com/graph/api/resources/conditionalaccessconditionset)
294+
[Session controls](https://learn.microsoft.com/graph/api/resources/conditionalaccesssessioncontrols)
295+
305296
## Related Links
306297

307298
[Get-EntraBetaConditionalAccessPolicy](Get-EntraBetaConditionalAccessPolicy.md)

module/docs/entra-powershell-beta/SignIns/New-EntraBetaFeatureRolloutPolicy.md

Lines changed: 12 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -48,12 +48,7 @@ The policy admin can identify whether the users authenticate using password hash
4848

4949
```powershell
5050
Connect-Entra -Scopes 'Directory.ReadWrite.All'
51-
$params = @{
52-
Feature = 'PassthroughAuthentication'
53-
DisplayName = 'Passthrough Authentication Rollout Policy'
54-
IsEnabled = $false
55-
}
56-
New-EntraBetaFeatureRolloutPolicy @params
51+
New-EntraBetaFeatureRolloutPolicy -Feature 'PassthroughAuthentication' -DisplayName 'Passthrough Authentication Rollout Policy' -IsEnabled $false
5752
```
5853

5954
```Output
@@ -67,22 +62,14 @@ This example creates the policy for cloud authentication roll-out in Microsoft E
6762

6863
- `-Feature` specifies a feature assigned to the cloud authentication roll-out policy.
6964
Currently, you can assign PassthroughAuthentication | SeamlessSso | PasswordHashSync | EmailAsAlternateId.
70-
7165
- `-DisplayName` specifies the display name of the cloud authentication roll-out policy.
72-
7366
- `-IsEnabled` specifies the status of cloud authentication roll-out policy.
7467

7568
### Example 2: Creates the policy for cloud authentication roll-out in Microsoft Entra ID
7669

7770
```powershell
7871
Connect-Entra -Scopes 'Directory.ReadWrite.All'
79-
$params = @{
80-
Feature = 'PassthroughAuthentication'
81-
DisplayName = 'FeatureRolloutPolicy'
82-
IsEnabled = $false
83-
IsAppliedToOrganization = $false
84-
}
85-
New-EntraBetaFeatureRolloutPolicy @params
72+
New-EntraBetaFeatureRolloutPolicy -Feature 'PassthroughAuthentication' -DisplayName 'FeatureRolloutPolicy' -IsEnabled $false -IsAppliedToOrganization $false
8673
```
8774

8875
```Output
@@ -96,11 +83,8 @@ This command creates the policy for cloud authentication roll-out in Microsoft E
9683

9784
- `-Feature` specifies a feature assigned to the cloud authentication roll-out policy.
9885
Currently, you can assign PassthroughAuthentication | SeamlessSso | PasswordHashSync | EmailAsAlternateId.
99-
10086
- `-DisplayName` specifies the display name of the cloud authentication roll-out policy.
101-
10287
- `-IsEnabled` specifies the status of cloud authentication roll-out policy.
103-
10488
- `-IsAppliedToOrganization` specifies if the cloud authentication roll-out policy applied to the entire organization.
10589

10690
## Parameters
@@ -125,7 +109,14 @@ Accept wildcard characters: False
125109
126110
Specifies a feature assigned to the cloud authentication roll-out policy.
127111
128-
Currently, you can assign PassthroughAuthentication | SeamlessSso | PasswordHashSync | EmailAsAlternateId.
112+
Possible values are:
113+
- passthroughAuthentication
114+
- seamlessSso
115+
- passwordHashSync
116+
- emailAsAlternateId
117+
- unknownFutureValue
118+
- certificateBasedAuthentication
119+
- multiFactorAuthentication
129120
130121
```yaml
131122
Type: FeatureEnum
@@ -215,6 +206,8 @@ This cmdlet supports the common parameters: `-Debug`, `-ErrorAction`, `-ErrorVar
215206

216207
## Notes
217208

209+
See more details - [Feature rollout policy](https://learn.microsoft.com/graph/api/resources/featurerolloutpolicy)
210+
218211
## Related Links
219212

220213
[Get-EntraBetaFeatureRolloutPolicy](Get-EntraBetaFeatureRolloutPolicy.md)

module/docs/entra-powershell-beta/SignIns/New-EntraBetaNamedLocationPolicy.md

Lines changed: 9 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -43,6 +43,11 @@ This cmdlet allows an admin to create new named location policy in Microsoft Ent
4343

4444
Conditional access policies are custom rules that define an access scenario.
4545

46+
In delegated scenarios with work or school accounts, when acting on another user, the signed-in user must have a supported Microsoft Entra role or custom role with the required permissions. The least privileged roles for this operation are:
47+
48+
- Security Administrator
49+
- Conditional Access Administrator
50+
4651
## Examples
4752

4853
### Example 1: Creates a new Ip named location policy in Microsoft Entra ID
@@ -51,14 +56,8 @@ Conditional access policies are custom rules that define an access scenario.
5156
Connect-Entra -Scopes 'Policy.ReadWrite.ConditionalAccess'
5257
$ipRanges = New-Object -TypeName Microsoft.Open.MSGraph.Model.IpRange
5358
$ipRanges.cidrAddress = '6.5.4.3/32'
54-
$params = @{
55-
OdataType = '#microsoft.graph.ipNamedLocation'
56-
DisplayName = 'IP named location policy'
57-
IsTrusted = $false
58-
IpRanges = $ipRanges
59-
}
60-
61-
New-EntraBetaNamedLocationPolicy @params
59+
$type = '#microsoft.graph.ipNamedLocation'
60+
New-EntraBetaNamedLocationPolicy -OdataType $type -DisplayName 'IP named location policy' -IsTrusted $false -IpRanges $ipRanges
6261
```
6362

6463
```Output
@@ -78,14 +77,8 @@ This command creates a new country named location policy in Microsoft Entra ID.
7877

7978
```powershell
8079
Connect-Entra -Scopes 'Policy.ReadWrite.ConditionalAccess'
81-
$params = @{
82-
OdataType = '#microsoft.graph.countryNamedLocation'
83-
DisplayName = 'Country named location policy'
84-
CountriesAndRegions = 'IN'
85-
IncludeUnknownCountriesAndRegions = $false
86-
}
87-
88-
New-EntraBetaNamedLocationPolicy @params
80+
$type = '#microsoft.graph.countryNamedLocation'
81+
New-EntraBetaNamedLocationPolicy -OdataType $type -DisplayName 'Country named location policy' -CountriesAndRegions 'IN' -IncludeUnknownCountriesAndRegions $false
8982
```
9083

9184
```Output

module/docs/entra-powershell-beta/SignIns/New-EntraBetaOauth2PermissionGrant.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -54,7 +54,7 @@ In delegated scenarios using work or school accounts, the signed-in user must ha
5454

5555
```powershell
5656
Connect-Entra -Scopes 'DelegatedPermissionGrant.ReadWrite.All'
57-
$servicePrincipal = Get-EntraBetaServicePrincipal -Filter "DisplayName eq 'Hakeem Helpdesk'"
57+
$servicePrincipal = Get-EntraBetaServicePrincipal -Filter "DisplayName eq 'Contoso Marketing'"
5858
$graphApp = Get-EntraBetaServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'"
5959
$params = @{
6060
ClientId = $servicePrincipal.Id
@@ -80,7 +80,7 @@ This command Grant authorization to impersonate all users.
8080

8181
```powershell
8282
Connect-Entra -Scopes 'DelegatedPermissionGrant.ReadWrite.All'
83-
$servicePrincipal = Get-EntraBetaServicePrincipal -Filter "DisplayName eq 'Hakeem Helpdesk'"
83+
$servicePrincipal = Get-EntraBetaServicePrincipal -Filter "DisplayName eq 'Contoso Marketing'"
8484
$graphApp = Get-EntraBetaServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'"
8585
$user = Get-EntraBetaUser -UserId 'SawyerM@contoso.com'
8686
$params = @{

0 commit comments

Comments
 (0)