Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Toggle Azure AD Security Defaults on or off via Graph API
#Set the authentication details
$tenantID = "tenant.onmicrosoft.com" #your tenantID or tenant root domain
$appID = "12345678-1234-1234-1234-1234567890AB" #the GUID of your app. For best result, use app with Policy.Read.All and Policy.ReadWrite.ConditionalAccess scopes granted
$client_secret = "XXXXXXXXXXXXXXXxxxx" #client secret for the app
$body = @{
client_id = $AppId
scope = "https://graph.microsoft.com/.default"
client_secret = $client_secret
grant_type = "client_credentials"
}
#Get a token
$authenticationResult = Invoke-WebRequest -Method Post -Uri "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token" -ContentType "application/x-www-form-urlencoded" -Body $body -ErrorAction Stop
$token = ($authenticationResult.Content | ConvertFrom-Json).access_token
$authHeader = @{'Authorization'="Bearer $token"}
#Call the /policies/authorizationPolicy/identitySecurityDefaultsEnforcementPolicy endpoint to check the current value
$res = Invoke-WebRequest -Headers $AuthHeader -Uri "https://graph.microsoft.com/beta/policies/identitySecurityDefaultsEnforcementPolicy"
$result = ($res.Content | ConvertFrom-Json)
$result
#Change the value to "true" via a PATCH operation
$body = (@{"isEnabled"="true"} | ConvertTo-Json)
$authHeader = @{'Authorization'="Bearer $token";"Content-Type" = "application/json"}
$res = Invoke-WebRequest -Headers $AuthHeader -Uri "https://graph.microsoft.com/beta/policies/identitySecurityDefaultsEnforcementPolicy" -Method Patch -Body $body
#Call the /policies/authorizationPolicy/identitySecurityDefaultsEnforcementPolicy endpoint again to confirm the new value
$res = Invoke-WebRequest -Headers $AuthHeader -Uri "https://graph.microsoft.com/beta/policies/identitySecurityDefaultsEnforcementPolicy"
$result = ($res.Content | ConvertFrom-Json)
$result
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment