Table of Contents
Use a Scheduled Runbook to Enable and Disable Conditional Access Policies
Recently, MVP Daniel Bradley wrote about a beta feature for conditional access policies that allows time-limited application of blocks. The idea appears to be that you can configure days and times as conditions for a policy to permit connections to a tenant during those periods. At least, that’s what I think Microsoft intends to do. The total lack of documentation means that some detective work is needed to make things work.
It’s curious that Microsoft has a feature that’s accessible through the beta Graph endpoint that isn’t documented. Perhaps the developers are backing away from the feature because of lack of customer demand. At one point, businesses were concerned about people working out of hours, and a French law from 2016 gave employees the right to avoid using IT systems over the weekend and at holiday periods. The law still appears to be on the books, but I haven’t heard much about its use.
Of course, 2017 was before Covid-19 and the move to remote working and flexibility. Even though many organizations have rowed back on permitting employees to work outside the office, the world of work is subject to different influences than it was ten years ago. At this point, organizations probably like employees to work around the clock.
Exploring Methods to Block Access
But if a company wants to restrict connections to Microsoft 365 at certain times, what’s the best way to achieve the goal?
I think conditional access policies are the best response, but you don’t need a partially-implemented beta feature to do the job. Instead, a simple conditional access policy that blocks all access to all resources for everyone except a set of excluded accounts (like administrators and break glass accounts) is all that’s necessary. The trick is to switch the conditional access policy on and off accurately. For example, you might want to disable connections at 8 pm on Friday evenings and allow access again at 7 am on Monday morning.
The best approach to enabling and disabling conditional access policies is to use scheduled Azure Automation runbooks configured to execute at the times when you want to enable and disable connectivity. All a runbook must do is update the target conditional access policy to turn it off or on as appropriate. If deemed desirable, you could revoke user access tokens for the user accounts in the target group at the same time. The runbook code (using the Microsoft Graph PowerShell SDK) might look like this:
# Code for Azure Automation runbook to enable a conditional access policy to block weekend access for a specific group, and revoke sessions for all members of that group
# Requires Policy.ReadWrite.ConditionalAccess, Group.Read.All, User.RevokeSessions.All, and GroupMember.Read.All permissions
Connect-MgGraph -Identity
# Get membership of dynamic group containing user accounts to block (same group
# is used by the CA policy)
[array]$Users = Get-MgGroupMember -GroupId (Get-MgGroup -Filter "displayName eq 'CA Block Weekend Access (France)'").Id
# Revoke access for each member
ForEach ($User in $Users) {
Try {
$Status = Revoke-MgUserSignInSession -UserId $User.Id -ErrorAction Stop
Write-Output ("Revoked access for {0}" -f $User.additionalProperties.displayName)
} Catch {
If ($_.Exception.Message -match "temporarily") {
Write-Warning ("Temporarily unable to revoke access for {0}, will retry after 15 seconds" -f $User.additionalProperties.DisplayName)
Start-Sleep -Seconds 5
Revoke-MgUserSignSession -UserId $User.Id
Write-Output ("Revoked access for {0}" -f $User.additionalProperties.displayName)
} Else {
Write-Error ("Failed to revoke access for {0}: {1}" -f $User.additionalProperties.displayName, $_.Exception.Message)
}
}
}
# Now enable the conditional access policy to block access for this group over the weekend
$Policy = Get-MgIdentityConditionalAccessPolicy -Filter "displayName eq 'Block Weekend Access'"
If ($Policy) {
Try {
Update-MgIdentityConditionalAccessPolicy -ConditionalAccessPolicyId $Policy.Id -State Enabled -ErrorAction Stop
Write-Output "Conditional Access policy 'Block Weekend Access' is now enabled"
} Catch {
Write-Error ("Failed to enable 'Block Weekend Access' policy: {0}" -f $_.Exception.Message)
}
}
Access tokens will expire within an hour, and the users won’t be able to reconnect because the conditional access policy will block their connections until reconnections are allowed again.
Handling International Employees
In an international company, you might need a set of conditional access policies to handle connectivity for different user populations. For example, German employees work in the UTC -1 time zone while U.S.-based employees work across several time zones. These conditions can be handled by having conditional access policies apply to different groups. Dynamic groups with membership rules based on country or office location are the best way to manage the users for each country.
Simpler Approaches Are Available
If your tenant doesn’t have the Entra P1 licenses required for conditional access policies and dynamic groups, you can disable accounts at the weekend by running a scheduled PowerShell script in Azure Automation (or use Windows Task Scheduler, if you must).
Disabling accounts is a cheap and cheerful method to block access, but it does mean that people might suspect that their job is in danger when they realize that their accounts are disabled. That wouldn’t be a good thing, and that’s why using a conditional access policy (with a more subtle message – Figure 1) to block access at certain times is a better approach. The bottom line is that no one can stop people working offline at the weekend, but conditional access policies (with a little help) can block access to online services.
Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365. Only humans contribute to our work!