Test-MtCaGroupsRestricted
SYNOPSIS
Checks if groups used in Conditional Access are protected by either Restricted Management Administrative Units or Role Assignable Groups.
SYNTAX
Test-MtCaGroupsRestricted [-ProgressAction <ActionPreference>] [<CommonParameters>]
DESCRIPTION
Security Groups will be used to exclude and include users from Conditional Access Policies. Modify group membership outside of Conditional Access Administrator or other privileged roles can lead to bypassing Conditional Access Policies. To prevent this, you can protect these groups by using Restricted Management Administrative Units or Role Assignable Groups. Role Assignable Group should be used in combination of assignments to Entra ID roles. Restricted Management Administrative Units should be used to protect groups by restricting management to specific users or groups. This test checks if all groups used in Conditional Access Policies are protected.
Learn more: https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/admin-units-restricted-management
EXAMPLES
EXAMPLE 1
Test-MtCaGroupsRestricted
PARAMETERS
-ProgressAction
{{ Fill ProgressAction Description }}
Type: ActionPreference
Parameter Sets: (All)
Aliases: proga
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.