TenLens
Back to script library
Entra / Microsoft 365 · Conditional Access

Update break glass users ca policies

Make sure that our break glass users are excluded from every CA policy that's active in the organization.

Connect & set up

Run these once per session. All scopes are read-only unless the script makes changes.

Connect-MgGraph -NoWelcome -Scopes Policy.ReadWrite.ConditionalAccess

Run it

The main script. Copy it, or download the .ps1 and run it from your console.

Connect-MgGraph -NoWelcome -Scopes Policy.ReadWrite.ConditionalAccess
# These are the policy states that will be updated with break glass accounts if required.
[array]$PolicyStatesToProcess = "enabledForReportingButNotEnforced", "enabled","disabled"
[array]$BreakGlassUsers = "91813a30-f048-48f1-a0f2-fd7c72020515", "b7289bc7-7e4e-44e2-ae1b-7e13e94e3749"
 
[int]$PoliciesUpdated = 0
Write-Host "Finding conditional access policies... "
[array]$Policies = Get-MgIdentityConditionalAccessPolicy | Sort-Object DisplayName
 
ForEach ($Policy in $Policies) {
    Write-Host ("Checking settings for conditional access policy {0}" -f $Policy.displayName) -foregroundcolor Yellow
    if (($Policy.Conditions.ClientApplications.IncludeServicePrincipals -ne $null) -or ($Policy.Conditions.ClientApplications.ExcludeServicePrincipals -ne $null)) {
        Write-Host ("CA Policy {0} is scoped to Workload Identities - it is not relevant to add break glass accounts here" -f $Policy.displayName) -ForegroundColor Green
    } else {
        [array]$ExcludedUsers = $Policy.conditions.users.excludeUsers
        [bool]$needChange = $false
        ForEach ($User in $BreakGlassUsers) {
            If ($User -notin $ExcludedUsers) {
            Write-Host ("Can't find user {0} in CA policy {1}" -f (Get-MgUser -UserId $User).DisplayName, $Policy.DisplayName)
            If ($Policy.State -in $PolicyStatesToProcess) {
                Write-Host ("Updating {0} with break glass accounts" -f $Policy.displayName) -ForegroundColor Red
                $Policy.conditions.users.excludeUsers += $User
                $needChange = $true
            }
            }
        }
        if ($needChange) {
            # Parameters needed to update a CA policy
            $Parameters = @{
                Conditions = @{
                    users = @{
                        excludeUsers = @(
                            $Policy.conditions.users.excludeUsers
                        )
                    }
                }
            }
            $PoliciesUpdated++
            Update-MgIdentityConditionalAccessPolicy -BodyParameter $Parameters -ConditionalAccessPolicyId $Policy.Id
            $needChange = $false
        } else {
            Write-Host ("CA Policy {0} already has break glass accounts excluded" -f $Policy.displayName) -ForegroundColor Green
        }
    }
}
 
Write-Host ("{0} policies processed and {1} updated" -f $Policies.count, $PoliciesUpdated)
Attribution
Author
Office365itpros
Related scripts
Entra / Microsoft 365 · Exchange Online

Add contacts to mailboxes

Copies organizational contacts from a SharePoint list into Exchange user mailboxes for newly licensed users, using app-only Microsoft Graph permissions.

Entra / Microsoft 365 · Applications

Add owners to apps

Finds Entra ID app registrations without owners and assigns the last modifier or creator as owner, using unified audit log records to identify who last managed each app.

Entra / Microsoft 365 · Teams

Add Teams to group expiration policy

Adds Microsoft Teams whose backing groups are not yet covered by the Microsoft 365 group expiration policy.