Related features:

Related Powershell Guides:

How to create a conditional access policy in Entra ID using Microsoft Graph PowerShell

The New-MgIdentityConditionalAccessPolicy cmdlet allows you to create a new conditional access policy in Microsoft Entra ID (previously Azure AD). Conditional access policies help control how users access resources based on conditions such as user risk, location, device state, and required authentication methods.

Create conditional access policies using Microsoft Graph PowerShell

Prerequisites

  • Before using the cmdlet, ensure that the Microsoft Graph PowerShell module is installed. If not, install it using this PowerShell command:
    Install-Module Microsoft.Graph -Scope CurrentUser
  • Also, use the following PowerShell command to connect to Microsoft Graph with the required permissions (e.g., Policy.ReadWrite.ConditionalAccess):
    Connect-MgGraph -Scopes "Policy.ReadWrite.ConditionalAccess"

Using the New-MgIdentityConditionalAccessPolicy cmdlet

Run the Graph PowerShell command below to create a new conditional access policy. Replace <name>, <conditions>, and <grant controls> with the appropriate policy details:

New-MgIdentityConditionalAccessPolicy -DisplayName <name> -State <enabled|disabled> -Conditions <object> -GrantControls <object>

Examples

Example 1: Create a basic conditional access policy requiring MFA for all users

This Graph PowerShell command creates a policy that requires MFA for all users:

New-MgIdentityConditionalAccessPolicy ` -DisplayName "Require MFA for All Users" ` -State "enabled" ` -Conditions @{ Users = @{ IncludeUsers = @("All") } } ` -GrantControls @{ Operator = "AND" BuiltInControls = @("mfa") }

Example 2: Restrict access from specific countries

This Graph PowerShell command restricts access to users from specific countries:

New-MgIdentityConditionalAccessPolicy ` -DisplayName "Block Access from Restricted Countries" ` -State "enabled" ` -Conditions @{ Locations = @{ IncludeLocations = @("locationID") } } ` -GrantControls @{ Operator = "AND" BuiltInControls = @("block") }

Supported parameters

The following are some essential parameters that can be used along with the New-MgIdentityConditionalAccessPolicy command:

Parameters Description
-DisplayName Specifies a display name for the conditionalAccessPolicy object
-State Indicates whether the policy is enabled or disabled
-Conditions Specifies the conditions (users, apps, risks) triggering the policy
-GrantControls Grants controls to enforce (e.g., require MFA)
-SessionControls (Optional) Controls applied to user sessions

Limitations of using Microsoft Graph PowerShell to create conditional access policies

  • PowerShell commands can get complicated with different use cases and scenarios.
  • IT admins can spend a lot of time debugging errors, which in turn negatively impacts productivity.
  • Delegation can get tricky since technicians require elevated permissions.

How ADManager Plus helps you manage Microsoft Entra ID

ADManager Plus, an identity governance and administration solution with comprehensive Microsoft Entra ID management and reporting capabilities, simplifies complex admin tasks from a single, user-friendly console:

Perform script-free Microsoft Entra ID management and reporting with ADManager Plus

Try it now for free
 
  • Create conditional access policies using Microsoft Graph PowerShell
  • Examples
  • Supported parameters
  • Limitations of using Microsoft Graph PowerShell to create conditional access policies
  • How ADManager Plus helps you manage Microsoft Entra ID
The one-stop solution to Active Directory Management and Reporting
Highlights AD Management Active Directory Reports Exchange Management Popular products
Email Download Link Email the ADManager Plus download link