Update Conditional Access Policies | Microsoft Graph PowerShell
 
 
 

Related features:

Related Powershell Guides:

How to update conditional access policies using Microsoft Graph PowerShell

The Update-MgIdentityConditionalAccessPolicy cmdlet modifies the settings of an existing conditional access policy in Microsoft Entra ID. Conditional access policies define the rules that govern how users and devices can access organizational resources, such as requiring MFA and restricting access from specific locations. With this cmdlet, admins can update policy conditions, grant or block controls, and session settings as business needs evolve.

This article shows you how to update conditional access policies using both the Microsoft Entra admin center and Microsoft Graph PowerShell:

  • M365 admin center
  • PowerShell
 

Update conditional access policies using Microsoft Entra admin center

The Entra admin center provides a graphical interface to adjust conditional access policies:

  1. Go to Microsoft Entra admin center.
  2. Open Security > Conditional Access.
  3. Select the policy you wish to update.
  4. Edit assignments, conditions, controls, and click Save.

Update conditional access policies using Microsoft Graph PowerShell

Prerequisites

  • Ensure you have the Policy.ReadWrite.ConditionalAccess permission assigned.
  • Install and connect to Microsoft Graph PowerShell by running the script below:
    Install-Module Microsoft.Graph -Scope CurrentUser Connect-MgGraph -Scopes "Policy.ReadWrite.ConditionalAccess"

Using the Update-MgIdentityConditionalAccessPolicy cmdlet

Run the script below by adding the policy's ID to modify the properties:

Update-MgIdentityConditionalAccessPolicy -ConditionalAccessPolicyId $policyId -BodyParameter $params ""

Examples

Example 1: Enable a conditional access policy

Update-MgIdentityConditionalAccessPolicy -ConditionalAccessPolicyId "policy-id" -State "enabled"

Example 2: Update policy to require MFA only for selected group

Update-MgIdentityConditionalAccessPolicy -ConditionalAccessPolicyId "policy-id" -Conditions @{Users = @{IncludeGroups = @("group-id")}} -GrantControls @{BuiltInControls = @("mfa")}

Example 3: Disable a policy temporarily

Update-MgIdentityConditionalAccessPolicy -ConditionalAccessPolicyId "policy-id" -State "disabled"

Supported parameters

The following essential parameters can be used along with the Update-MgIdentityConditionalAccessPolicy cmdlet.

Parameter Description
-ConditionalAccessPolicyId ID of the policy to update (required).
-DisplayName New display name for the policy.
-State State of the policy (enabled, disabled, reportOnly).
-Conditions Hashtable with new conditions for assignments.
-GrantControls Hashtable for new grant controls.
-SessionControls Set session controls.
-Description Policy description.
-WhatIf Simulates the update.
-Confirm Prompts before updating.
-Headers Custom HTTP headers.

Limitations of using native tools to update conditional access policies

Although powerful, relying solely on Microsoft Graph PowerShell and Entra ID admin centre can present challenges:

  • PowerShell commands can get complex with different use cases and scenarios.
  • IT admins can spend a lot of time troubleshooting errors, which negatively impacts productivity.
  • Delegation can get tricky since technicians require elevated permissions.

How ADManager Plus helps you manage Microsoft Entra ID

ADManager Plus, an identity governance and administration solution with comprehensive Microsoft Entra ID management and reporting capabilities, simplifies complex admin tasks from a single, user-friendly console:

  • Search Entra ID directory objects using any attribute.
  • Manage Entra ID users, contacts, groups, licenses, and other objects with a script-free, centralized console.
  • Reduce human errors by automating user provisioning, deprovisioning, and license assignment across various platforms.
  • Delegate Entra ID tasks to technicians without elevating their native privileges.
  • Keep a watchful eye with 200+ pre-packaged reports for your Entra ID and AD environments.
  • Monitor delegated activities through smart workflows.
  • Ensure business continuity with AD, Entra ID, and Google Workspace backup and recovery.

Perform script-free Microsoft Entra ID management and reporting with ADManager Plus

Try it now for free
The one-stop solution to Active Directory Management and Reporting
Highlights AD Management Active Directory Reports Exchange Management Popular products
Email Download Link Email the ADManager Plus download link