Set-EntraConditionalAccessPolicy

Module:

Microsoft.Entra.SignIns Module v1.3

Updates a conditional access policy in Microsoft Entra ID by Id.

Set-EntraConditionalAccessPolicy

 -PolicyId <String>
 [-Conditions <ConditionalAccessConditionSet>]
 [-GrantControls <ConditionalAccessGrantControls>]
 [-DisplayName <String>]
 [-Id <String>]
 [-State <String>]
 [-SessionControls <ConditionalAccessSessionControls>]
 [<CommonParameters>]

This cmdlet allows an admin to update a conditional access policy in Microsoft Entra ID by Id.

Conditional access policies are custom rules that define an access scenario.

In delegated scenarios with work or school accounts, when acting on another user, the signed-in user must have a supported Microsoft Entra role or custom role with the necessary permissions. The least privileged roles for this operation are:

• Security Administrator
• Conditional Access Administrator

Connect-Entra -Scopes 'Policy.ReadWrite.ConditionalAccess', 'Policy.Read.All'
$policy = Get-EntraConditionalAccessPolicy | Where-Object { $_.DisplayName -eq 'MFA policy' }
$cond = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessConditionSet
$control = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessGrantControls
$session = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessSessionControls
Set-EntraConditionalAccessPolicy -PolicyId $policy.Id -DisplayName 'MFA policy updated' -State 'Enabled' -Conditions $cond -GrantControls $control -SessionControls $session

The example shows how to update a conditional access policy in Microsoft Entra ID.

• -PolicyId parameter specifies the Id of conditional access policy.
• -DisplayName parameter specifies the display name of a conditional access policy.
• -State parameter specifies the enabled or disabled state of the conditional access policy.
• -Conditions parameter specifies the conditions for the conditional access policy.
• -GrantControls parameter specifies the controls for the conditional access policy.
• -SessionControls parameter Enables limited experiences within specific cloud applications.

Connect-Entra -Scopes 'Policy.ReadWrite.ConditionalAccess', 'Policy.Read.All'
$policy = Get-EntraConditionalAccessPolicy | Where-Object { $_.DisplayName -eq 'MFA policy' }
Set-EntraConditionalAccessPolicy -PolicyId $policy.Id -DisplayName 'MFA policy updated'

This command updates a conditional access policy in Microsoft Entra ID.

• -PolicyId parameter specifies the Id of conditional access policy.
• -DisplayName parameter specifies the display name of a conditional access policy.

Connect-Entra -Scopes 'Policy.ReadWrite.ConditionalAccess', 'Policy.Read.All'
$policy = Get-EntraConditionalAccessPolicy | Where-Object { $_.DisplayName -eq 'MFA policy' }
Set-EntraConditionalAccessPolicy -PolicyId $policy.Id -State 'Enabled'

This command updates a conditional access policy in Microsoft Entra ID.

• -PolicyId parameter specifies the Id of conditional access policy.
• -State parameter specifies the enabled or disabled state of the conditional access policy.

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

Learn more about:

Condition access policy Built controls Conditions Session controls