Document Conditional Access with PowerShell

This PowerShell script documents your Azure AD Conditional Access policies. The script exports all data as a csv file which can be pretty formatted as excel workbook.

1. Install this script from the PowerShell gallery (dependent modules are automatically installed):

   • Install-Script -Name Invoke-ConditionalAccessDocumentation -Scope CurrentUser

   • Script is saved to the user's default script lcoation:

     • Windows : "C:\Users\%USERNAME%\Documents\WindowsPowerShell\Scripts"
     • macOS: ~/.local/share/powershell/scripts

2. Connect to Microsoft Graph

   • Grant initial admin consent: Connect-Graph -Scopes "Application.Read.All", "Group.Read.All", "Policy.Read.All", "RoleManagement.Read.Directory", "User.Read.All" -ContextScope Process

   • You can also connect to Microsoft Graph Beta endpoint with Select-MgProfile -Name "Beta", this will also export policies with preview features like workload identities

   • After initial admin consent has been granted you can connect with: Connect-Graph for subsequent usage

3. Run script via PowerShell dot sourcing

   • & "C:\Users\$env:USERNAME\Documents\WindowsPowerShell\Scripts\Invoke-ConditionalAccessDocumentation.ps1"

4. (Optional) Pretty format the csv with excel & save it as excel workbook

   •