Skip to main content

How to export Conditional Access policies? A Microsoft Entra tenant has multiple Conditional Access policies, and all the configurations that are set work perfectly. We like to create the same CA policies on another tenant. Creating the CA policies will take time, and we might miss a configuration. So, how to back up Conditional Access policies and import them into another tenant? In this article, you will learn how to export Conditional Access policies, including all configurations, to a JSON file with PowerShell.
Check Conditional Access policies in Microsoft Entra admin center

Let’s check the Conditional Access policies and their status in Microsoft Entra:

  1. Sign in to Microsoft Entra admin center
  2. Expand Identity > Protection
  3. Click on Conditional Access
  4. Select View all policies

In our example, we have two CA policies. One of the policies is enabled, and the other one is disabled.

Export Conditional Access policies Entra admin center

What if we want to export the Conditional Access policies? The only method to export the Conditional Access policies is with PowerShell. It’s an excellent way to back up the CA policies so you can look into the configuration if any changes are set in the future, and you want to return to your default configuration.

In the next step, we will show how to back up all Conditional Access policies to your computer.

Install Microsoft Graph PowerShell

Before we can proceed further and get all the Conditional Access policies from the Microsoft Entra tenant, we need to Install Microsoft Graph PowerShell .

Start Windows PowerShell as administrator and run the below commands.

Install-Module Microsoft.Graph -Force
Install-Module Microsoft.Graph.Beta -AllowClobber -Force

Important: Always install the Microsoft Graph PowerShell and Microsoft Graph Beta PowerShell modules. That’s because some cmdlets are not yet available in the final version, and they will not work. Update both modules to the latest version before you run a cmdlet or script to prevent errors and incorrect results.

Now that we have the Microsoft Graph PowerShell SDK module installed, we can go to the next step.

Prepare Export-CAPolicies PowerShell script

Create two folders on the (C:) drive:

  • Temp
  • Scripts

Download and place Export-CAPolicies.ps1  PowerShell script in the C:\scripts folder. The script will export the JSON files to the C:\temp folder.

Ensure the file is unblocked to prevent errors when running the script

Another option is to copy and paste the below code into Notepad. Give it the name Export-CAPolicies.ps1 and place it in the C:\scripts folder.

<#
    .SYNOPSIS
    Export-CAPolicies.ps1

    .DESCRIPTION
    Export Conditional Access policies to JSON files for backup purposes.

    .LINK
    www.traseroute.net/export-conditional-access-policies/

    .NOTES
    Written by: Traseroute
    Website:    www.traseroute.net
    LinkedIn:   linkedin.com/in/traseroute

    .CHANGELOG
    V1.00, 11/16/2023 - Initial version
#>

# Connect to Microsoft Graph API
Connect-MgGraph -Scopes 'Policy.Read.All'

# Export path for CA policies
$ExportPath = "C:\temp\"

try {
    # Retrieve all conditional access policies from Microsoft Graph API
    $AllPolicies = Get-MgIdentityConditionalAccessPolicy -All

    if ($AllPolicies.Count -eq 0) {
        Write-Host "There are no CA policies found to export." -ForegroundColor Yellow
    }
    else {
        # Iterate through each policy
        foreach ($Policy in $AllPolicies) {
            try {
                # Get the display name of the policy
                $PolicyName = $Policy.DisplayName
            
                # Convert the policy object to JSON with a depth of 6
                $PolicyJSON = $Policy | ConvertTo-Json -Depth 6
            
                # Write the JSON to a file in the export path
                $PolicyJSON | Out-File "$ExportPath\$PolicyName.json" -Force
            
                # Print a success message for the policy backup
                Write-Host "Successfully backed up CA policy: $($PolicyName)" -ForegroundColor Green
            }
            catch {
                # Print an error message for the policy backup
                Write-Host "Error occurred while backing up CA policy: $($Policy.DisplayName). $($_.Exception.Message)" -ForegroundColor Red
            }
        }
    }
}
catch {
    # Print a generic error message
    Write-Host "Error occurred: $($_.Exception.Message)" -ForegroundColor Red
}

This is how it looks.

Export Conditional Access policies PowerShell scripts folder

Run Export Conditional Access policies PowerShell script

Run the Export-CAPolicies.ps1 PowerShell script to get all the policies and export them in JSON files in the temp folder.

C:\scripts\Export-CAPolicies.ps1

The output shows:

Successfully backed up CA policy: Block legacy authentication
Successfully backed up CA policy: Require multifactor authentication for all users

It might fail to export the CA policy if special characters are present in the policy name. We recommend not using special characters in the policy name and keeping the names as simple as possible.

Open Conditional Access policy JSON file

The Export-CAPolicies.ps1 PowerShell script will export all policies to JSON files. Find the JSON files in the path C:\temp.

JSON files temp folder

Open the CA policy JSON file with your favorite application. For example, Notepad, Notepad++, or Visual Studio Code.

Export Conditional Access policies JSON file

The CA policies JSON file looks excellent.

Did this help you to back up Conditional Access policies to JSON files?

Leave a Reply