Disabilitare l'inoltro del traffico e i criteri di accesso condizionale usando la condizione di rete conforme in uno scenario break glass

In caso di interruzione o di connettività di Accesso a Internet Microsoft Entra, gli utenti rimangono protetti. Tuttavia, è possibile eseguire un'operazione di "break glass": disabilitando temporaneamente i profili di inoltro del traffico e disabilitando i criteri di condizione della rete conforme, gli utenti possono ottenere nuovamente l'accesso alle app Microsoft a favore della produttività.

Di seguito è possibile visualizzare uno script di esempio che consente di disabilitare rapidamente l'inoltro del traffico e cambiare i criteri di accesso condizionale usando la condizione Di rete conforme in modalità Solo report.

Elencare e disabilitare i criteri di accesso condizionale usando la condizione di rete conforme in uno scenario break glass

Lo script di PowerShell disabilita in modo efficace tutti i criteri di accesso condizionale che usano la condizione Di rete conforme. In una situazione di emergenza, questo script può essere usato per ripristinare temporaneamente l'accesso per gli utenti.

L'esempio richiede il modulo Microsoft Graph Beta PowerShell 2.10 o versione successiva.

# gsabreakglass.ps1 places the Compliant Network Conditional Access Policies for a given tenant using Microsoft Entra Internet Access into Report-Only mode.
#
# Version 1.0
#
# This script requires following 
#    - PowerShell 5.1 (x64) or beyond
#    - Module: Microsoft.Graph.Beta
#
#
# Before you begin:
#    
# - Make sure you are running PowerShell as an Administrator
# - Make sure your Administrator persona is an leveraging an Entra ID emergency access admin account, not subject to Microsoft Entra Internet Access Compliant Network policy, as described in https://learn.microsoft.com/entra/identity/role-based-access-control/security-emergency-access.
# - Make sure you run: Install-Module Microsoft.Graph.Beta -AllowClobber -Force
Import-Module Microsoft.Graph.Beta.Identity.SignIns
Connect-MgGraph -Scopes "Policy.Read.All,Policy.ReadWrite.ConditionalAccess,NetworkAccess.ReadWrite.All"

$result = @()
$timeRun = Get-Date
$result += "Script was run at $($timeRun)"
$count = 0
# Search for any Conditional Access policies leveraging the Compliant Network condition.
$allCAPolicies = Get-MgBetaIdentityConditionalAccessPolicy
$allCompliantNetworkCAPolicies = @()
foreach ($policy in $allCAPolicies) 
{
    if ($policy.conditions.locations.excludeLocations -Contains "3d46dbda-8382-466a-856d-eb00cbc6b910" -or $policy.conditions.locations.includeLocations -Contains "3d46dbda-8382-466a-856d-eb00cbc6b910") 
    {
        $allCompliantNetworkCAPolicies += $policy
    }
}
$compliantNetworkCount = $allCompliantNetworkCAPolicies.Count
$result += "Total count of Compliant Network Conditional Access policies: $($compliantNetworkCount)"
# List + Save the list of Compliant Network Conditional Access policies to the C:\BreakGlass folder for use in .\breakglass.ps1
foreach ($policy in $allCompliantNetworkCAPolicies)
{
    $current = Get-MgBetaIdentityConditionalAccessPolicy -ConditionalAccessPolicyId $policy.id
    $currentState = $current.state
    $currentTime = Get-Date
    $policyContent = "{0},{1},{2},{3},{4}" -f $policy.displayName, $policy.id, "Current State: $($currentState) at $($currentTime)", $policy.CreatedDateTime, $policy.ModifiedDateTime
    $result += $policyContent
	Write-Host "CA Policy with ID: $($policy.id) (state: $($current.state)) uses the Compliant Network Condition. Policy name: $($policy.displayName)"
}
$result += " "
$path = "C:\BreakGlass\ListCompliantNetworkCAPolicies.txt"
if (Test-Path $path)
{
    $result | Out-File -FilePath $path
} else {
    New-Item -Force -Path $path -Type File
	$result | Out-File -FilePath $path
}
Write-Host "`nList of Compliant NW policies has been exported to C:\BreakGlass\ListCompliantNetworkCAPolicies.txt`n"

$result = @()
$timeRun = Get-Date
$result += "Script was run at $($timeRun)"
$count = 0
$result += "Total count of Compliant Network Conditional Access policies: $($allCompliantNetworkCAPolicies.Count)"
# Based on admin input, disable either all or some Conditional Access policies leveraging the Compliant Network Condition.
$action = Read-Host "Do you want to put all enabled compliant network Conditional Access policies in Report-Only mode (type 'all') or just specific policy IDs (type 'ids')?"
if ($action -eq "all") 
{
    foreach ($policy in $allCompliantNetworkCAPolicies) 
    {
        if ($policy) 
        {
            #only BreakGlass if policy is already enabled
            if ($policy.state -eq "enabled")
            {
                $params = @{
                    state = "enabledForReportingButNotEnforced"
                }
                $current = Get-MgBetaIdentityConditionalAccessPolicy -ConditionalAccessPolicyId $policy.id
                $currentState = $current.state
                $currentTime = Get-Date
                Update-MgBetaIdentityConditionalAccessPolicy -ConditionalAccessPolicyId $policy.id -BodyParameter $params
                
                $updatedTime = Get-Date
                $check = Get-MgBetaIdentityConditionalAccessPolicy -ConditionalAccessPolicyId $policy.id
                $updatedState = $check.state
                
                if ($updatedState -eq "enabledForReportingButNotEnforced") 
                {
                    $policyContent = "{0},{1},{2},{3},{4},{5}" -f $policy.displayName, $policy.id, $policy.CreatedDateTime, $policy.ModifiedDateTime, "Before BreakGlass: $($currentState) at $($currentTime)", "After BreakGlass: $($updatedState) at $($updatedTime)"
                    $result += $policyContent
                    $count++
					Write-Host "Policy with ID $($policy.id) is now in Report-Only mode"
                } else {
                    Write-Host "Policy with ID $($policy.id) could not be put in Report-Only mode"
                }
            } else {
                Write-Host "Policy with ID $($policy.id) is already Disabled or Report-Only."
            }
        } else {
            Write-Host "Policy with ID $($policy.id) was not found."
        }
    }
} elseif ($action -eq "ids") {
    $policyIds = Read-Host "Enter the IDs of the policies you want to put in Report-Only mode (separated by commas)"
    $policyIds = $policyIds -split ","
   
    foreach ($id in $policyIds) 
    {
        $policy = $allCompliantNetworkCAPolicies | Where-Object { $_.id -eq $id }
        if ($policy) 
        {
            if ($policy.state -eq "enabled")
            {
                $params = @{
                state = "enabledForReportingButNotEnforced"
                }
                $current = Get-MgBetaIdentityConditionalAccessPolicy -ConditionalAccessPolicyId $policy.id
                $currentState = $current.state
                $currentTime = Get-Date
                Update-MgBetaIdentityConditionalAccessPolicy -ConditionalAccessPolicyId $policy.id -BodyParameter $params
                
                $updatedTime = Get-Date
                $check = Get-MgBetaIdentityConditionalAccessPolicy -ConditionalAccessPolicyId $policy.id
                $updatedState = $check.state
                
                if ($updatedState -eq "enabledForReportingButNotEnforced") 
                {
                    $policyContent = "{0},{1},{2},{3},{4},{5}" -f $policy.displayName, $policy.id, $policy.CreatedDateTime, $policy.ModifiedDateTime, "Before BreakGlass: $($currentState) at $($currentTime)", "After BreakGlass: $($updatedState) at $($updatedTime)"
                    $result += $policyContent
                    $count++
                    Write-Host "Policy with ID $($policy.id) is now in Report-Only mode."
                } else {
                    Write-Host "Policy with ID $($policy.id) could not be put in Report-Only mode"
                }
            } else {
                Write-Host "Policy with ID $($policy.id) is already Disabled or Report-Only."
            }
        } else {
            Write-Host "Policy with ID $id not found."
        }
    }
} else {
    Write-Host "Invalid action. Please type 'all' or 'ids'."
}
# Save the list of Compliant Network Conditional Access policies that were moved to Report-Only mode to the C:\BreakGlass folder for use in .\breakglass.ps1
$result += "Number of policies placed in Report-Only mode: $($count)"
$path = "C:\BreakGlass\ReportOnlyCompliantNetworkCAPolicies.txt"
if (Test-Path $path)
{
    $result | Out-File -FilePath $path
} else {
    New-Item -Force -Path $path -Type File
	$result | Out-File -FilePath $path
}
Write-Host "`nCA policy disablement results have been exported to C:\BreakGlass\ReportOnlyCompliantNetworkCAPolicies.txt`n"

# Disable Traffic Profiles
$forwardingResult = @()
$timeRun = Get-Date
$result = "Script was run at $($timeRun)`n"

$forwardingProfiles = Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/beta/networkaccess/forwardingprofiles"
foreach ($profile in $forwardingProfiles.value)
{
	if ($profile.state -eq "enabled") {
		$body = @{ state = "disabled" } | ConvertTo-Json
		$check = Invoke-MgGraphRequest -Method PATCH -Uri "https://graph.microsoft.com/beta/networkaccess/forwardingprofiles/$($profile.id)" -Body $body -ContentType "application/json"
		if ($check.state -eq "disabled") {
			$profileContent = "{0},{1},{2}`n" -f $profile.name, $profile.id, $profile.lastModifiedDateTime
			$result += $profileContent
			Write-Host "$($profile.name) is now disabled."
		} else {
			Write-Host "$($profile.name) can't be disabled."
		}
	} else{
		Write-Host "$($profile.name) is already disabled."
	}
}

# Save the list of disabled Forwarding profiles to C:\BreakGlass folder
$path = "C:\BreakGlass\DisabledForwardingProfiles.txt"
if (Test-Path $path)
{
    $result | Out-File -FilePath $path
} else {
    New-Item -Force -Path $path -Type File
	$result | Out-File -FilePath $path
}
Write-Host "`nDisabled Forwarding Profiles have been exported to C:\BreakGlass\DisabledForwardingProfiles.txt`n"

Passaggi successivi

• Ripristino dallo scenario Break glass
• Informazioni generali di Microsoft Graph PowerShell