So, you’ve probably heard about custom security attributes in Azure AD, right? If not, let me break it down for you. Azure AD lets the cool tech folks (like you and me) craft our own attributes in the directory. Think of it as putting a custom sticker or label on certain users. Maybe you’ve got people working in specific departments or on particular projects? These custom attributes are like those name tags at networking events but way less awkward. And the best part? These can be a game-changer when you’re setting up stuff like conditional access policies.
Before diving deep, you’ll need the Microsoft.Graph
module. It’s your gateway to all things Microsoft Graph when you’re in the PowerShell realm.
Alright, setting up a custom attribute. Graph isn’t going to hand-deliver this one, but here’s a workaround:
# First things first, connect to Graph
Connect-MgGraph
# Details for our new attribute
$attributeDetails = @{
id = “customExtension_DepartmentCode”
dataType = “String”
targetObjects = [“User”]
} | ConvertTo-Json
# Now, make it real
Invoke-MgGraphRequest -Method POST -Uri “https://graph.microsoft.com/v1.0/schemaExtensions” -Body $attributeDetails
Setting Conditional Access with Microsoft Graph in PowerShell
Let’s figure out who’s in the “Finance Department” first:
# Ensure you’re riding the Graph train
Connect-MgGraph
# Snag the Finance folks
$financeGroup = Get-MgGroup -Filter “displayName eq ‘Finance Department'”
$groupId = $financeGroup.Id
Time to pinpoint our office’s IP:
$officeIP = @{
displayName = “OfficeLocation”
isTrusted = $true
ipRanges = @{
cidr = @(“192.168.1.0/24”)
}
} | ConvertTo-Json
$officeSpot = Invoke-MgGraphRequest -Method POST -Uri “https://graph.microsoft.com/v1.0/identity/conditionalAccess/namedLocations” -Body $officeIP
Now, for the grand finale: ensuring our Finance pals can only peek into Azure stuff when they’re at the office:
$policyDetails = @{
displayName = “FinanceTeamOfficeAccess”
conditions = @{
users = @{
include = @($groupId)
}
locations = @{
include = @($officeSpot.id)
}
}
grantControls = @{
operator = “OR”
builtInControls = @(“block”)
}
state = “enabled”
} | ConvertTo-Json
# Roll out the red carpet for our new policy
Invoke-MgGraphRequest -Method POST -Uri “https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies” -Body $policyDetails
That’s it! With some PowerShell magic and a dash of Microsoft Graph, you’re all set to rock custom attributes and conditional access in Azure. Go you!
Joao Paulo Costa