Document Azure AD Conditional Access Policies with the IdPowerToys App

Manual and Automatic Documentation of Conditional Access Policy Settings as PowerPoint Presentation

Windows has its Power Toys and now Microsoft’s identity management team is getting into the act with Identity Power Toys (idPowerToys), an app to help Azure Active Directory power users get work done. The initial release of the app is limited to a Conditional Access Documentator, a useful tool to read the configuration of conditional access policies from Azure AD and generate documentation in the form of a PowerPoint presentation (using components from Syncfusion). The IdPowerToys GitHub repository is available for all to browse and contribute to.

Conditional access policies set conditions and criteria for Azure AD to examine inbound connections to decide if a connection should be accepted or rejected. A typical conditional access policy is one that requires accounts to use multi-factor authentication (MFA). The policy could even define that the authentication method used for the MFA response should be a certain strength. For instance, an SMS response is unacceptable but a response from the Microsoft Authenticator app is OK.

Only its creators love the GUI used to manage conditional access policies in the Microsoft Entra (Azure AD) admin center. It’s easy to make mistakes and people have been known to lock themselves out by implementing conditions that they can’t meet. It’s also easy to create conditions that make the daily interaction between people and apps miserable, such as cranking up the sign-in frequency for connections. Many different policies might exist in large enterprise tenants, and it can be hard to understand the flow that a connection traverses as Azure AD applies conditions from the set of policies. Examination of records in the Azure AD sign-in log throws some light onto the situation but can be a drag.

The Conditional Access Documentator

Enter the Conditional Access Documentator, the first IdPowerToys app. The app is available online and supports two modes:

  • Automatic generation: IdPowerToys retrieves of conditional access policies using an enterprise app created in the tenant’s Azure AD and generates a PowerPoint presentation. You can opt to mask different elements of the output. For instance, if you choose to mask policy names, IdPowerToys generates its own version of the policy name based on what it does. If you choose to mask user names, IdPowerToys outputs their account identifier instead of their display name.
  • Manual generation: A tenant administrator runs a PowerShell command or uses the Graph Explorer to retrieve the JSON-formatted information about conditional access policies and pastes the results into a text box. IdPowerToys uses the information to create the PowerPoint file. Masking isn’t supported for manual generation.

An enterprise app is a registered Azure AD app owned by another tenant that creates an instance of the app in other tenants. Alongside the app instance, Azure AD creates a service principal to hold the permissions needed by the app. An administrator must grant consent before the app can use the permissions to access Azure AD to fetch the information about conditional access policies.

Some will be uneasy about granting an app permissions like Directory.Read.All (read information about accounts, groups, and other objects from Azure AD) and Policy.Read.All (read all policy information for the organization). However, as shown in Figure 1, the permissions are delegated, not application, which means that an account holding an administrator role must sign-into the app to use the permissions.

Permissions assigned to the IdPowerToys app
Figure 1: Permissions assigned to the IdPowerToys app

If you’re uneasy about creating an enterprise app with permissions in your Azure AD, use the manual generation method and run the Invoke-GraphRequest cmdlet to fetch the data and output it to the clipboard. This command only works when run by an administrator:

Invoke-GraphRequest -Uri '' -OutputType Json | Set-Clipboard

Figure 2 shows the results retrieved from the Graph pasted into the IdPowerToys app.

Pasting conditional access policy settings into IdPowerToys to generate documentation manually
Figure 2: Pasting conditional access policy settings into IdPowerToys to generate documentation manually

In either case, the PowerPoint presentation generated to document conditional access policies is the same. For my tenant, which has 12 conditional access policies (not all in use), the app generated a 609 KB file with 13 slides (one title slide and one for each policy), divided into sets of enabled and disabled policies. Within a set, policies are sorted by last modified date, so the policy with the most recent modification appears first.

Figure 3 shows a presentation generated by IdPowerToys with details of a conditional access policy in the slide. This is a common policy to require MFA for guest access, with tweaks to require a certain authentication strength and to set the sign-in frequency to 90 days. You can see that the policy is enabled.

Figure 3: PowerPoint depiction of a conditional access policy

Visualize Conditional Access Policies Differently

Conceptually, generating documentation for conditional access policies isn’t difficult. Graph API requests exist to fetch the information and after that it’s a matter of parsing the conditions, actions, access controls, and session controls to output in your desired format. Some might prefer their documentation in Word. I think PowerPoint is just fine. IdPowerToys delivers documentation that just might help organizations visualize, clarify, and rationalize their conditional access policies, and that’s a good thing.

Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.

16 Replies to “Document Azure AD Conditional Access Policies with the IdPowerToys App”

  1. Trying to use this since it looked like an awesome tool but I have tried the automatic and manual methods without success. Both throw the following error : Sorry something went wrong. Please try again.

  2. Unfortunatly, tried both manual and automatic methods. They both fail with the same error.

    Sorry something went wrong. Please try again.

      1. how can we be sure about security and privacy? and what about GPRD concept?
        Are the data uploaded to the idpowertoys site?

        how can we be sure that no data are uploaded outside the enterprise?

      2. The information is read from your Azure AD configuration to generate the report. There’s no data stored on the idPowerToys site.

  3. This is nothing even close to being worthy of the PowerToys name. Come on. How about, it’s time for Microsoft to completely finish a product or feature before moving onto the next shiny object? Don’t release unfinished shit Microsoft.

  4. Hi Tony , i have tried with my test account (no azure subscription) with premium p1 license… i have few policies switched on and off…. when i tried Automatic the documents is downloading but with no policies in it

  5. I’ve also tried both methods, both fail with “Something went wrong”. App has all of the necessary permissions granted.

    My error, using Graph Explorer:-
    “error”: {
    “code”: “AccessDenied”,
    “message”: “You cannot perform the requested operation, required scopes are missing in the token.”,

    1. That error indicates that your Graph Explorer session doesn’t have the Policy.Read.All permission. Use the Modify Permissions tab to assign and grant consent to the permission and you should be able to retrieve the information.

      I don’t know why the developers took the manual mode offline. I guess someone found a problem…

  6. First, thank you Tony for this, it sounds very interesting and i want definitely to try it.

    I just tried the both methods as well, for the manual mode i am getting the same error like others.

    For the automatic mode the PowerPoint document gets created but only with one site where i can see the tenant ID, tenant name, generated by (my global admin account), generated on.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.