TenLens
Back to script library
Entra / Microsoft 365 · Conditional Access

Update microsoft irmca policies

Update conditional access policies to make sure that they exclude the Microsoft Rights Management Services app.

Connect & set up

Run these once per session. All scopes are read-only unless the script makes changes.

Connect-MgGraph -NoWelcome -Scopes Policy.ReadWrite.ConditionalAccess

Run it

The main script. Copy it, or download the .ps1 and run it from your console.

Connect-MgGraph -NoWelcome -Scopes Policy.ReadWrite.ConditionalAccess
 
# Define app id for the Microsoft Rights Management Services app
$MSFTIRMServices = "00000012-0000-0000-c000-000000000000"
 
# Parameters needed to update a CA policy
$Parameters = @{
    Conditions = @{
        applications = @{
            excludeapplications = @(
                "00000012-0000-0000-c000-000000000000"
            )
        }
    }
}
 
[array]$Policies = Get-MgIdentityConditionalAccessPolicy -Filter "State eq 'enabled'" | Sort-Object DisplayName
ForEach ($Policy in $Policies) {
    Write-Host ("Checking conditional access policy {0}" -f $Policy.displayName)
    If ($Policy.conditions.applications.IncludeAuthenticationContextClassReferences) {
        Write-Host ("Policy {0} uses an authentication context. Can't apply an app exclusion" -f $Policy.displayName) -ForegroundColor Yellow
    } Else {
        [array]$ExcludedApps = $Policy.conditions.applications.excludeapplications
        If ($MSFTIRMServices -notin $ExcludedApps) {
            Write-Host ("Exclusion for Microsoft Rights Management Services app not present in CA policy {0}" -f $Policy.DisplayName)
            [array]$AuthenticationStrength = $Policy.grantcontrols | Select-Object -ExpandProperty AuthenticationStrength
            If (($Policy.grantcontrols.builtincontrols -eq 'mfa') -or ($AuthenticationStrength.AllowedCombinations)) {
                Write-Host "Checking policy to see if exclusion for Microsoft Rights Management Services app is possible" -ForegroundColor Red
                If ($Policy.grantcontrols.builtincontrols -eq 'passwordchange') {
                    Write-Host "Forced password change control means app exclusion is not possible" -ForegroundColor Yellow
                } Else {
                    Write-Host "Updating policy with exclusion" -ForegroundColor DarkRed
                    Update-MgIdentityConditionalAccessPolicy -BodyParameter $Parameters -ConditionalAccessPolicyId $Policy.Id
                }
            } Else {
                Write-Host "Policy doesn't use MFA - ignoring" -ForegroundColor Yellow
            }
        } Else {
            Write-Host "Exclusion for Microsoft Rights Management Services app present" -ForegroundColor DarkGray
        }
    }
}
Attribution
Author
Office365itpros
Related scripts
Entra / Microsoft 365 · Exchange Online

Add contacts to mailboxes

Copies organizational contacts from a SharePoint list into Exchange user mailboxes for newly licensed users, using app-only Microsoft Graph permissions.

Entra / Microsoft 365 · Applications

Add owners to apps

Finds Entra ID app registrations without owners and assigns the last modifier or creator as owner, using unified audit log records to identify who last managed each app.

Entra / Microsoft 365 · Teams

Add Teams to group expiration policy

Adds Microsoft Teams whose backing groups are not yet covered by the Microsoft 365 group expiration policy.