HOWTO: Get rid of the Conditional Access Baseline Policies in your Azure AD tenant

Azure Active Directory

In September 2018, Microsoft introduced the concept of Conditional Access baseline policies. Baseline policies were superseded by Security Defaults, and starting February 2020 the Baseline Conditional Access policies were disabled in all Azure AD tenants. However, these lingering baseline policies are all Off and cannot be turned on. They can also not be removed from the Azure AD Portal. With the advent of the Conditional Access API, however, there is now a way.

 

The process

The process of removing the Conditional Access Baseline Policies in your Azure AD tenant consists of the following steps:

  1. Make a backup of all Conditional Access policies your organization uses
  2. Delete all Conditional Access policies
  3. Turn on Security Defaults
  4. Turn off Security Defaults
  5. Restore the Conditional Access policies your organization uses

For steps 1,2 and 5, we’ll use PowerShell. My colleague Barbara Forbes has created a great HOWTO on working with the Conditional Access APIs and we'll use that information to do the job.

 

Getting Ready

Before we can work with the Conditional Access policies in Windows PowerShell, we need to make sure we meet the requirements:

  • We need a system with appropriate network connectivity and at least Windows PowerShell 5.
  • We need at least version 2.0.2.106 of the Azure AD PowerShell module installed. You can install it using the following line of Windows PowerShell:Install-Module AzureAD -Force

Note:
If your Conditional Access policies contain conditions that are labeled as Preview in the Azure Management experience, you will need to use the AzureADPreview Windows PowerShell module, instead of the AzureAD Windows PowerShell module, as the AzureAD module will not return any Conditional Access policies with Preview conditions configured.

  • On devices with PowerShell 5, you’ll need to import the AzureAD PowerShell module using the following line of Windows PowerShell:Import-Module AzureADOn devices with PowerShell 7 and beyond, you’ll need to import the AzureAD PowerShell module using the following line of Windows PowerShell:

    Import-Module AzureAD -UseWindowsPowerShell

 

Make a backup of all Conditional Access policies

To make a backup of all Conditional Access Policies your organization uses, change to a directory where you want to store the backups of the Conditional Access polciies and run the following lines of Windows PowerShell:

Connect-AzureAD

Sign in with an account that has the Global administrator role or Conditional Access administrator role assigned.

Then perform the following lines of Windows PowerShell:

$AllPolicies = Get-AzureADMSConditionalAccessPolicy

foreach ($Policy in $AllPolicies) {

Write-Output "Backing up $($Policy.DisplayName)"

$PolicyJSON = $Policy | ConvertTo-Json -Depth 6

$PolicyJSON | Out-File "$($Policy.Id).json"

}

 

Delete all Conditional Access policies

To be able to turn on the Security Defaults feature, we need to delete all Conditional Access policies. This is required.

In the same Windows PowerShell window you used to execute the previous lines of Windows PowerShell, execute the following line of Windows PowerShell:

Get-AzureADMSConditionalAccessPolicy | Remove-AzureADMSConditionalAccessPolicy

 

Turn on Security Defaults

To turn on the Security Defaults feature, perform the following actions:

  • Open your web browser and navigate to the Azure AD Portal.
  • Sign in with an account with the Global administrator role or Conditional Access administrator role.
    Perform multi-factor authentication when prompted.
  • In the left navigation menu, click on Azure Active Directory.
  • In Azure Active Directory’s menu, click on Properties.
  • At the bottom of the Properties pane, follow the Manage Security defaults link.
    The Enable Security defaults blade appears:

    Enable Security defaults

  • In the Enable Security defaults blade, change the Enable Security defaults option from No to Yes.
  • Click the Save button at the bottom of the blade.

 

Turn off Security Defaults

Next, perform the following action to turn the Security Defaults feature off again:

    • In the Enable Security defaults blade, change the
      Enable Security defaults option from Yes to No.
    • Click the Save button at the bottom of the blade.
    • Close the web browser.

 

Restore the Conditional Access policies

In the same Windows PowerShell window you used to execute the previous lines of Windows PowerShell, execute the following line of Windows PowerShell to restore the Conditional Access policies:

$BackupJsons = Get-ChildItem -Recurse -Include *.json

foreach ($Json in $BackupJsons) {

$policy = Get-Content $Json.FullName | ConvertFrom-Json

$policy.DisplayName

[Microsoft.Open.MSGraph.Model.ConditionalAccessConditionSet]$Conditions = $Policy.Conditions

[Microsoft.Open.MSGraph.Model.ConditionalAccessGrantControls]$GrantControls = $Policy.GrantControls

[Microsoft.Open.MSGraph.Model.ConditionalAccessSessionControls]$SessionControls = $Policy.SessionControls

$OldUsers = $Policy.Conditions.Users

$UserMembers = $OldUsers | Get-Member -MemberType NoteProperty

$Users = New-Object Microsoft.Open.MSGraph.Model.ConditionalAccessUserCondition

foreach ($member in $UserMembers) {

if (-not[string]::IsNullOrEmpty($OldUsers.$($member.Name))) {

$Users.($member.Name) = ($OldUsers.$($member.Name))

}

}

$Conditions.Users = $Users

$OldApplications = $Policy.Conditions.Applications

$ApplicationMembers = $OldApplications | Get-Member -MemberType NoteProperty

$Applications = New-Object Microsoft.Open.MSGraph.Model.ConditionalAccessApplicationCondition

foreach ($member in $ApplicationMembers) {

if (-not[string]::IsNullOrEmpty($OldApplications.$($member.Name))) {

$Applications.($member.Name) = ($OldApplications.$($member.Name))

}

}

$Conditions.Applications = $Applications

$Parameters = @{

DisplayName = $Policy.DisplayName

State = $Policy.State

Conditions = $Conditions

GrantControls = $GrantControls

SessionControls = $SessionControls

}

$null = New-AzureADMSConditionalAccessPolicy @Parameters

}

 

Concluding

With the advent of the Conditional Access APIs, we now have a way to get rid of the Conditional Access Baseline Policies. In the process, we also make a backup of the Conditional Access policies, which is a good thing.

Further reading

Assessing the impact that the new Baseline Policy for Admins in Azure AD might have
KnowledgeBase: Users receive an error when registering MFA when Security Defaults are enabled and the mobile app verification options are disabled
KnowledgeBase: App Passwords are only available to users with a non-Conditional Access MFA requirement
TODO: Move from per-user MFA to Conditional Access

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.