POC Scripts - Entra ID

⚠️ WARNING: These scripts are for educational and POC purposes only. Not production-ready. Use at your own risk.

Author: Per-Torben Sørensen

Simple, proof-of-concept scripts demonstrating Microsoft Graph API operations for Entra ID Conditional Access and Identity Governance.

Overview

This collection provides minimal scripts for:

• Conditional Access: Location-based policies and security group management
• Access Packages: Self-service access requests with approval workflows

Folder Structure

POC-Scripts/
├── ConditionalAccess/     # CA policies, named locations, security groups
└── AccessPackages/        # Catalogs, access packages, assignment policies

Complete End-to-End Workflow

Scenario: Enable Access from Mexico

This workflow creates a complete setup allowing users to request temporary access to sign in from Mexico.

Prerequisites

# Install required modules
Install-Module Microsoft.Graph.Authentication, Microsoft.Graph.Identity.SignIns, Microsoft.Graph.Groups, Microsoft.Graph.Identity.Governance -Scope CurrentUser

# Connect to Microsoft Graph
Connect-MgGraph -Scopes "Policy.ReadWrite.ConditionalAccess","Group.ReadWrite.All","Directory.ReadWrite.All","EntitlementManagement.ReadWrite.All"

Step-by-Step Execution Order

Phase 1: Conditional Access Setup

Navigate to ConditionalAccess/ folder:

1. Create Named Location

# Edit POC-Add-CountryNamedLocation.ps1
# Set: $countryCode = "MX", $countryName = "Mexico"
.\POC-Add-CountryNamedLocation.ps1
# Note the location ID for Step 4

2. Create Security Group

# Edit POC-Add-CountrySecurityGroup.ps1
# Set: $countryName = "Mexico"
.\POC-Add-CountrySecurityGroup.ps1
# Note the group ID for Steps 3 and 4

3. Add Group to Existing Block Policy

# Edit POC-Add-GroupToPolicyExclusion.ps1
# Set: $policyId (from list), $groupId (from Step 2)
.\POC-Add-GroupToPolicyExclusion.ps1
# This exempts the group from global geo-blocking

4. Create Location-Specific Allow Policy

# Edit POC-Create-LocationAllowPolicy.ps1
# Set: 
#   $policyName = "CA02 - 15 - Users - Location - Allow Norway+Mexico"
#   $groupId = (from Step 2)
#   $locationIds = @("norway-id", "mexico-id") # from Step 1
.\POC-Create-LocationAllowPolicy.ps1

What this does: Creates a policy that blocks sign-in from all locations EXCEPT Norway and Mexico for members of the security group. The policy uses an "inverse" pattern - it includes all locations but excludes Norway/Mexico, then applies a block control, effectively creating an allow-list.

Important: The policy is created in report-only mode (enabledForReportingButNotEnforced). You must manually enable it in the Entra portal after validating sign-in logs to ensure it works as expected.

Phase 2: Access Package Setup

Navigate to AccessPackages/ folder:

5. Create Catalog

# Edit POC-Add-AccessPackageCatalog.ps1
# Set: $countryName = "Mexico"
.\POC-Add-AccessPackageCatalog.ps1
# Note the catalog ID for Step 6

6. Add Group to Catalog

# Edit POC-Add-CatalogResource.ps1
# Set: $catalogId (from Step 5), $groupObjectId (from Step 2)
.\POC-Add-CatalogResource.ps1
# Wait 5 seconds for propagation

7. Create Access Package

# Edit POC-Add-AccessPackage.ps1
# Set: $catalogId (from Step 5), $countryName = "Mexico"
.\POC-Add-AccessPackage.ps1
# Note the access package ID for Step 8

8. Create Assignment Policy

# Edit POC-Add-AccessPackageAssignmentPolicy.ps1
# Set:
#   $accessPackageId (from Step 7)
#   $approverUserId = "user-object-id" # Use Get-MgUser to get ID
#   $durationInDays = 14
.\POC-Add-AccessPackageAssignmentPolicy.ps1

Result

Users can now:

1. Visit myaccess.microsoft.com
2. Request "Location Access - Mexico" access package
3. Upon approval, gain 14-day access to CA-Exclusion-Mexico group
4. Sign in from Norway or Mexico during that period
5. Automatically lose access after 14 days

---

Conditional Access Scripts

Individual Scripts

Script	Purpose	Variables Required
POC-Add-CountryNamedLocation.ps1	Create country-based named location	$countryCode, $countryName
POC-Add-CountrySecurityGroup.ps1	Create security group for CA exclusions	$countryName
POC-Add-GroupToPolicyExclusion.ps1	Add group to CA policy exclusion list	$policyId, $groupId
POC-Create-LocationAllowPolicy.ps1	Create allow policy for specific locations	$policyName, $groupId, $locationIds

Orchestration Script (Optional)

• POC-Deploy-CountryException.ps1 - Automates Steps 1-3 in one execution

When to use: If you prefer running one script instead of three individual scripts. This is purely for convenience - it executes the same operations as Steps 1-3 above. You still need to run Step 4 separately.

When NOT to use: If you want to understand each operation individually, run Steps 1-3 manually instead.

Use Case: Location-Based Access

The workflow creates:

1. Named Location - Defines the country (e.g., Mexico)
2. Security Group - Contains users who need access (e.g., CA-Exclusion-Mexico)
3. Exclusion from Block Policy - Exempts group from global blocking
4. Allow Policy - Permits sign-in only from approved locations for group members

---

Access Package Scripts

Individual Scripts

Script	Purpose	Variables Required
POC-Add-AccessPackageCatalog.ps1	Create catalog for access packages	$countryName
POC-Add-CatalogResource.ps1	Add security group to catalog	$catalogId, $groupObjectId
POC-Add-AccessPackage.ps1	Create access package in catalog	$catalogId, $countryName
POC-Add-AccessPackageAssignmentPolicy.ps1	Create self-service request policy	$accessPackageId, $approverUserId, $durationInDays

Orchestration Script (Optional)

• POC-Deploy-AccessPackageSetup.ps1 - Automates Steps 5-8 in one execution

When to use: If you prefer running one script instead of four individual scripts. This is purely for convenience - it executes the same operations as Steps 5-8 above.

When NOT to use: If you want to understand each operation individually or need to troubleshoot, run Steps 5-8 manually instead.

Workflow

1. User requests access via myaccess.microsoft.com
2. Approver receives email notification
3. Approver reviews and approves/denies request
4. User is automatically added to security group
5. Assignment expires after specified duration
6. User is automatically removed from group

---

Requirements

• PowerShell: 7.0+
• Modules: Microsoft.Graph (must be pre-installed)
• Roles:
  • Conditional Access Administrator or Global Administrator
  • Identity Governance Administrator (for access packages)
• Licensing: Entra ID Premium P2 or EMS E5 (for access packages)
• Connection: Active Microsoft Graph session with appropriate scopes

Important Notes

• No parameters: Edit variables directly in script files before running
• No auto-install: Graph modules must be installed beforehand
• No error handling: Scripts assume happy path for POC purposes
• Educational only: These are learning tools, not production scripts
• IDs: Save output IDs from each step for use in subsequent steps

Country Codes Reference

Use two-letter ISO 3166-1 alpha-2 codes:

Country	Code	Country	Code
Norway	NO	Germany	DE
Sweden	SE	France	FR
Denmark	DK	UK	GB
Finland	FI	USA	US
Mexico	MX	Spain	ES

Full list: https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2

Troubleshooting

Issue: Assignment policy creation fails with "ArgumentException"

• Solution: Ensure $approverUserId is the user's Object ID (GUID), not UPN. Use Get-MgUser -UserId "user@domain.com" | Select-Object Id

Issue: Group not visible in catalog

• Solution: Wait 5-10 seconds after adding resource to catalog before creating access package

Issue: Policy not working as expected

• Solution: All policies start in "enabledForReportingButNotEnforced" mode. Review sign-in logs, then manually change to "enabled" in portal

Additional Resources

• Microsoft Graph API Documentation
• Conditional Access Policies
• Entra Identity Governance