Skip to main content

Microsoft Entra

Microsoft Entra Backend

Overview

This integration uses both a bash script and PowerShell script to execute. The PowerShell script manages conditional access policies and named locations in Microsoft Azure using the Microsoft Graph API. It supports adding, removing, and flushing IP-based named locations within conditional access policies. The script is designed to optimize API calls by caching policy and location data.

Prerequisites

• Azure PowerShell Module
• Microsoft Graph PowerShell Module
• Azure AD app registration with appropriate permissions to manage conditional access policies

Parameters

• **`$action`**: Specifies the action to perform. Acceptable values are `add`, `remove`, and `flush`.

• **`$acl`**: Name of the access control list (ACL) to modify.

• **`$ip`**: IP address to add or remove from the named location.

Functions

Get-ClientSecret

```powershell
function Get-ClientSecret {
    param (
        [string]$secretName
    )
    return "your-secure-secret"  # Placeholder for testing
}
```

Retrieves a client secret securely from a storage system like Azure Key Vault.

Get-NamedLocationId

```powershell
function Get-NamedLocationId {
    param ([string]$displayName)
    # Implementation...
}
```

Retrieves the ID of a named location by its display name, caching the result to minimize repeated API calls.

Update-NamedLocationTrustStatus

```powershell
function Update-NamedLocationTrustStatus {
    param (
        [string]$NamedLocationId,
        [bool]$IsTrusted,
        [string]$LocationType = "#microsoft.graph.ipNamedLocation"
    )
    # Implementation...
}
```

Updates the trust status of a named location.

Get-ConditionalAccessPolicy

```powershell
function Get-ConditionalAccessPolicy {
    param ([string]$displayName)
    # Implementation...
}
```

Retrieves a conditional access policy by its display name, caching the result to minimize repeated API calls.

Update-ConditionalAccessPolicy

```powershell
function Update-ConditionalAccessPolicy {
    param (
        [string]$PolicyId,
        [array]$LocationIds
    )
    # Implementation...
}
```

Updates a conditional access policy with a list of named location IDs.

Add-NamedLocationAndModifyPolicy

```powershell
function Add-NamedLocationAndModifyPolicy {
    # Implementation...
}
```

Adds a named location if it does not exist and updates the specified conditional access policy to include the new named location.

Remove-LocationFromPolicies

```powershell
function Remove-LocationFromPolicies {
    param ([string]$NamedLocationId)
    # Implementation...
}
```

Removes a named location from all conditional access policies and then deletes the named location.

Flush-NamedLocationsFromPolicy

```powershell
function Flush-NamedLocationsFromPolicy {
    # Implementation...
}
```

Removes all named locations matching the pattern `knocknoc_*` from all conditional access policies and then deletes these named locations.

Usage

Add a Named Location and Modify Policy

```powershell
.\Script.ps1 -action add -acl "aclName" -ip "192.168.1.1"
```

Adds the specified IP address as a named location and modifies the specified access control list to include this named location.

Remove a Named Location from Policies

```powershell
.\Script.ps1 -action remove -acl "aclName" -ip "192.168.1.1"
```

Removes the specified IP address from the named locations in all policies.

Flush Named Locations from Policies

```powershell
.\Script.ps1 -action flush -acl "aclName"
```

Removes all named locations that match the pattern `knocknoc_*` from all policies.

Authentication

The script requires authentication with Microsoft Graph API. This is achieved by creating a PSCredential object using the client ID, tenant ID, and client secret.

Example

```powershell
param (
    [ValidateSet('add', 'remove', 'flush')][string]$action,
    [string]$acl,
    [ValidatePattern('^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$')][string]$ip
)

# Authentication
$ClientId = "client"
$TenantId = "tenant"
$ClientSecret = "secret"

try {
    $ClientSecretPass = ConvertTo-SecureString -String $ClientSecret -AsPlainText -Force
    $ClientSecretCredential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $ClientId, $ClientSecretPass

    Connect-MgGraph -TenantId $TenantId -ClientSecretCredential $ClientSecretCredential -NoWelcome
} catch {
    Write-Host "Failed to authenticate with Microsoft Graph. Error: $_"
    exit 1
}

# Action map
$actionMap = @{
    'add'    = { Add-NamedLocationAndModifyPolicy }
    'remove' = {
        $NamedLocationId = Get-NamedLocationId "knocknoc_$ip"
        if ($null -eq $NamedLocationId) {
            Write-Host "Named location 'knocknoc_$ip' not found."
        } else {
            Remove-LocationFromPolicies -NamedLocationId $NamedLocationId
        }
    }
    'flush'  = { Flush-NamedLocationsFromPolicy }
}

# Execute action
if ($actionMap.ContainsKey($action)) {
    & $actionMap[$action]
} else {
    Write-Host "Invalid action specified"
}
```

Notes

• Ensure that the Azure and Microsoft Graph PowerShell modules are installed and imported in your environment.
• Adjust the throttle limit for concurrency as needed.
• Securely store and retrieve secrets using Azure Key Vault or another secure method.

Back to top