Test-MtConditionalAccessWhatIf
SYNOPSIS
Tests Conditional Access evaluation with What If for a given scenario.
SYNTAX
ApplicationBasedCA (Default)
Test-MtConditionalAccessWhatIf [-UserId] <String> -IncludeApplications <String[]> [-DevicePlatform <String>]
[-ClientAppType <String>] [-SignInRiskLevel <String>] [-UserRiskLevel <String>] [-Country <String>]
[-IpAddress <String>] [-AllResults] [-ProgressAction <ActionPreference>] [<CommonParameters>]
UserActionBasedCA
Test-MtConditionalAccessWhatIf [-UserId] <String> [-UserAction <String[]>] [-DevicePlatform <String>]
[-ClientAppType <String>] [-SignInRiskLevel <String>] [-UserRiskLevel <String>] [-Country <String>]
[-IpAddress <String>] [-AllResults] [-ProgressAction <ActionPreference>] [<CommonParameters>]
DESCRIPTION
This function tests a Conditional Access evaluation with What If for a given scenario.
The function uses the Microsoft Graph API to evaluate the Conditional Access policies.
Learn more: https://learn.microsoft.com/entra/identity/conditional-access/what-if-tool
EXAMPLES
EXAMPLE 1
Test-MtConditionalAccessWhatIf -UserId 7a6da1c3-616a-416b-a820-cbe4fa8e225e `
-IncludeApplications "00000002-0000-0ff1-ce00-000000000000" `
-ClientAppType exchangeActiveSync
This example tests the Conditional Access policies for a user signing into Exchange Online using a legacy Mail client that relies on basic authentication.
EXAMPLE 2
Test-MtConditionalAccessWhatIf -UserId 7a6da1c3-616a-416b-a820-cbe4fa8e225e `
-UserAction registerOrJoinDevices
This example tests the Conditional Access policies for a user registering or joining a device to Microsoft Entra.
EXAMPLE 3
Test-MtConditionalAccessWhatIf -UserId 7a6da1c3-616a-416b-a820-cbe4fa8e225e `
-IncludeApplications '67ad5377-2d78-4ac2-a867-6300cda00e85' `
-Country FR -IpAddress '92.205.185.202'
This example tests the Conditional Access policies for a user signing into Office 365 from France with a specific IP address.
EXAMPLE 4
Test-MtConditionalAccessWhatIf -UserId 7a6da1c3-616a-416b-a820-cbe4fa8e225e `
-IncludeApplications '67ad5377-2d78-4ac2-a867-6300cda00e85' `
-SignInRiskLevel High -DevicePlatform iOS
This example tests the Conditional Access policies for a user signing into Office 365 from an iOS device with a High sign-in risk level.
EXAMPLE 5
Test-MtConditionalAccessWhatIf -UserId 7a6da1c3-616a-416b-a820-cbe4fa8e225e `
-UserAction registerSecurityInformation `
-DevicePlatform Android `
-UserRiskLevel High
This example tests the Conditional Access policies for a user accessing the My Security Info page from an Android device with a High user risk level.
PARAMETERS
-UserId
The id of the user sign-in that is being tested.
Must be a valid userId (GUID).
UserId can be looked up by $id = (Get-MgUser -UserId 'john@contoso.com').id
Type: String
Parameter Sets: (All)
Aliases:
Required: True
Position: 1
Default value: None
Accept pipeline input: True (ByPropertyName, ByValue)
Accept wildcard characters: False
-IncludeApplications
The id of the application the user is signing into. Must be a valid application ID (GUID) Application ID can be looked up from from the sign in logs. The id of the Office 365 application is '67ad5377-2d78-4ac2-a867-6300cda00e85'
Type: String[]
Parameter Sets: ApplicationBasedCA
Aliases:
Required: True
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
-UserAction
The user action that should be tested. Values can be registerOrJoinDevices or registerSecurityInformation
Type: String[]
Parameter Sets: UserActionBasedCA
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
-DevicePlatform
Device platform to be used for the test. Values can be all, Android, iOS, windows, windowsPhone, macOS, linux
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
-ClientAppType
The client app used by the user. Values can be browser, mobileAppsAndDesktopClients, exchangeActiveSync, easSupported, other
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
-SignInRiskLevel
Sign-in risk level for the test. Values can be None, Low, Medium, High
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
-UserRiskLevel
User risk level for the test. Values can be None, Low, Medium, High
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
-Country
Country to be used for the test. The two-letter country code.
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
-IpAddress
IP address to be used for the test. e.g. 10.142.84.49
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
-AllResults
Output all results
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
-ProgressAction
{{ Fill ProgressAction Description }}
Type: ActionPreference
Parameter Sets: (All)
Aliases: proga
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
INPUTS
OUTPUTS
System.Object
NOTES
RELATED LINKS
https://maester.dev/docs/commands/Test-MtConditionalAccessWhatIf