Microsoft365无法通过PowerShell功能将多个组添加到CA策略
Microsoft365无法通过PowerShell功能将多个组添加到CA策略
提问于 2021-10-28 14:43:00
您好,这是我第一次在这里发帖,我正在尝试为我的公司创建一些模块,以便更轻松地管理Microsoft 365并自动创建租户。在尝试创建一个分配了多个组的新条件访问策略时,我遇到了一个小问题。下面是我的代码:
function New-MFACAPolicy {
param (
[Parameter(Mandatory=$true, Position = 0)]
[string[]]$Groups,
[Parameter(Mandatory=$true)]
[ValidateSet('enabled', 'enabledForReportingButNotEnforced', 'disabled')]
[string]$State,
[Parameter(Mandatory=$false)]
[string]$ExcludedGroups
)
BEGIN{
Test-AzureADConnection -ErrorAction SilentlyContinue
#Create Empty Array
$IncludedGroups = @()
$ExclGroups = @()
#Loop through Groups listed and add to array of Object ID's for each group
foreach ($Group in $Groups) {
$IncludedGroup = Get-AzureADMSGroup -SearchString $Group
$IncludedGroups += $IncludedGroup.id
}#Foreach
if ($PSBoundParameters.ContainsKey('ExcludedGroups')) {
foreach ($ExcludedGroup in $ExcludedGroups) {
$ExclGroup = Get-AzureADMSGroup -SearchString $ExcludedGroup
$ExclGroups += $ExclGroup.id
}#Foreach
}#If Excluded Groups parameter is specified
$InclGroups = $($IncludedGroups -join ', ')
}#Begin
Process {
$Conditions = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessConditionSet
$Conditions.Applications = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessApplicationCondition
$Conditions.Applications.IncludeApplications = "All"
$Conditions.Users = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessUserCondition
$conditions.Users.IncludeGroups = "$InclGroups"
$Conditions.ClientAppTypes = @('Browser','MobileAppsAndDesktopClients')
$Controls = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessGrantControls
$controls._Operator = "OR"
$Controls.BuiltInControls = "mfa"
if ($PSBoundParameters.ContainsKey('ExcludedGroups')) {
$Conditions.Users.ExcludeGroups = "$ExcludedGroups"
}#If ExlcudedGroups parameter specified
New-AzureADMSConditionalAccessPolicy -DisplayName "CA001: Require MFA for all Licensed Users" -State $State -Conditions $Conditions -GrantControls $Controls
}#Process
}不知道为什么,但我可以在运行NewMFACAPolicy -Groups "HR“-State enabledForReportingButNotEnforced时添加单个组
但是,当指定多个组营销"HR",“NewMFACAPolicy”-State enabledForReportingButNotEnforced时,我收到以下错误信息:
New-AzureADMSConditionalAccessPolicy : Error occurred while executing NewAzureADMSConditionalAccessPolicy
Code: BadRequest
Message: 1054: Invalid group value: GroupID1, GroupID2. <--- This is usually the ID of the group I redacted it to hide that information
InnerError:
RequestId: 53f15e3e-53cc-4c10-a537-983b8d6f87a6
DateTimeStamp: Thu, 28 Oct 2021 14:21:42 GMT
HttpStatusCode: BadRequest
HttpStatusDescription: Bad Request
HttpResponseStatus: Completed
At C:\Users\Redacted\New-CAPolicies.ps1:63 char:5
+ New-AzureADMSConditionalAccessPolicy -DisplayName "CA001: Require ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [New-AzureADMSConditionalAccessPolicy], ApiException
+ FullyQualifiedErrorId : Microsoft.Open.MSGraphV10.Client.ApiException,Microsoft.Open.MSGraphV10.PowerShell.NewAz
ureADMSConditionalAccessPolicy我不确定为什么这不起作用,因为我只是将一个数组转换为逗号分隔的字符串...如果有更好的方法可以做到这一点,有人可以建议我绝对愿意重新做这件事。
谢谢你的帮助!
回答 1
Stack Overflow用户
发布于 2021-10-28 18:07:10
需要删除引号并将其保留为数组。
最终版本:
function New-MFACAPolicy {
param (
[Parameter(Mandatory=$true, Position = 0)]
[string[]]$Groups,
[Parameter(Mandatory=$true)]
[ValidateSet('enabled', 'enabledForReportingButNotEnforced', 'disabled')]
[string]$State,
[Parameter(Mandatory=$false)]
[string]$ExcludedGroups
)
BEGIN{
Test-AzureADConnection -ErrorAction SilentlyContinue
#Create Empty Array
$IncludedGroups = @()
$ExclGroups = @()
#Loop through Groups listed and add to array of Object ID's for each group
foreach ($Group in $Groups) {
$IncludedGroup = Get-AzureADMSGroup -SearchString $Group
$IncludedGroups += $IncludedGroup.id
}#Foreach
if ($PSBoundParameters.ContainsKey('ExcludedGroups')) {
foreach ($ExcludedGroup in $ExcludedGroups) {
$ExclGroup = Get-AzureADMSGroup -SearchString $ExcludedGroup
$ExclGroups += $ExclGroup.id
}#Foreach
}#If Excluded Groups parameter is specified
}#Begin
Process {
$Conditions = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessConditionSet
$Conditions.Applications = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessApplicationCondition
$Conditions.Applications.IncludeApplications = "All"
$Conditions.Users = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessUserCondition
$conditions.Users.IncludeGroups = $IncludedGroups
$Conditions.ClientAppTypes = @('Browser','MobileAppsAndDesktopClients')
$Controls = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessGrantControls
$controls._Operator = "OR"
$Controls.BuiltInControls = "mfa"
if ($PSBoundParameters.ContainsKey('ExcludedGroups')) {
$Conditions.Users.ExcludeGroups = $ExclGroups
}#If ExlcudedGroups parameter specified
New-AzureADMSConditionalAccessPolicy -DisplayName "CA001: Require MFA for all Licensed Users" -State $State -Conditions $Conditions -GrantControls $Controls
}#Process
}#Function页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/69756209
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号