Set-EntraConditionalAccessPolicy
Updates a conditional access policy in Microsoft Entra ID by Id.
Syntax
Set-EntraConditionalAccessPolicy
-PolicyId <String>
[-Conditions <ConditionalAccessConditionSet>]
[-GrantControls <ConditionalAccessGrantControls>]
[-DisplayName <String>]
[-Id <String>]
[-State <String>]
[-SessionControls <ConditionalAccessSessionControls>]
[<CommonParameters>] Description
This cmdlet allows an admin to update a conditional access policy in Microsoft Entra ID by Id.
Conditional access policies are custom rules that define an access scenario.
In delegated scenarios with work or school accounts, when acting on another user, the signed-in user must have a supported Microsoft Entra role or custom role with the necessary permissions. The least privileged roles for this operation are:
- Security Administrator
- Conditional Access Administrator
Examples
Example 1: Update a conditional access policy
Connect-Entra -Scopes 'Policy.ReadWrite.ConditionalAccess', 'Policy.Read.All'
$policy = Get-EntraConditionalAccessPolicy | Where-Object { $_.DisplayName -eq 'MFA policy' }
$cond = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessConditionSet
$control = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessGrantControls
$session = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessSessionControls
Set-EntraConditionalAccessPolicy -PolicyId $policy.Id -DisplayName 'MFA policy updated' -State 'Enabled' -Conditions $cond -GrantControls $control -SessionControls $sessionThe example shows how to update a conditional access policy in Microsoft Entra ID.
-PolicyIdparameter specifies the Id of conditional access policy.-DisplayNameparameter specifies the display name of a conditional access policy.-Stateparameter specifies the enabled or disabled state of the conditional access policy.-Conditionsparameter specifies the conditions for the conditional access policy.-GrantControlsparameter specifies the controls for the conditional access policy.-SessionControlsparameter Enables limited experiences within specific cloud applications.
Example 2: Update display name for a conditional access policy
Connect-Entra -Scopes 'Policy.ReadWrite.ConditionalAccess', 'Policy.Read.All'
$policy = Get-EntraConditionalAccessPolicy | Where-Object { $_.DisplayName -eq 'MFA policy' }
Set-EntraConditionalAccessPolicy -PolicyId $policy.Id -DisplayName 'MFA policy updated'This command updates a conditional access policy in Microsoft Entra ID.
-PolicyIdparameter specifies the Id of conditional access policy.-DisplayNameparameter specifies the display name of a conditional access policy.
Example 3: Update the state for a conditional access policy
Connect-Entra -Scopes 'Policy.ReadWrite.ConditionalAccess', 'Policy.Read.All'
$policy = Get-EntraConditionalAccessPolicy | Where-Object { $_.DisplayName -eq 'MFA policy' }
Set-EntraConditionalAccessPolicy -PolicyId $policy.Id -State 'Enabled'This command updates a conditional access policy in Microsoft Entra ID.
-PolicyIdparameter specifies the Id of conditional access policy.-Stateparameter specifies the enabled or disabled state of the conditional access policy.
Parameters
-Conditions
Specifies the conditions for the conditional access policy in Microsoft Entra ID.
| Type: | ConditionalAccessConditionSet |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-DisplayName
Specifies the display name of a conditional access policy in Microsoft Entra ID.
| Type: | System.String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-GrantControls
Specifies the controls for the conditional access policy in Microsoft Entra ID.
| Type: | ConditionalAccessGrantControls |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Id
Specifies the policy Id of a conditional access policy in Microsoft Entra ID.
| Type: | System.String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-PolicyId
Specifies the policy Id of a conditional access policy in Microsoft Entra ID.
| Type: | System.String |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-SessionControls
Enables limited experiences within specific cloud applications.
| Type: | ConditionalAccessSessionControls |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-State
Specifies the enabled or disabled state of the conditional access policy in Microsoft Entra ID.
| Type: | System.String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
Notes
Learn more about:
Condition access policy Built controls Conditions Session controls