Update-MgBetaIdentityConditionalAccessPolicy

Syntax

Update-MgBetaIdentityConditionalAccessPolicy
      -ConditionalAccessPolicyId <String>
      [-ResponseHeadersVariable <String>]
      [-AdditionalProperties <Hashtable>]
      [-Conditions <IMicrosoftGraphConditionalAccessConditionSet>]
      [-CreatedDateTime <DateTime>]
      [-Description <String>]
      [-DisplayName <String>]
      [-GrantControls <IMicrosoftGraphConditionalAccessGrantControls>]
      [-Id <String>]
      [-ModifiedDateTime <DateTime>]
      [-SessionControls <IMicrosoftGraphConditionalAccessSessionControls>]
      [-State <String>]
      [-Headers <IDictionary>]
      [-ProgressAction <ActionPreference>]
      [-WhatIf]
      [-Confirm]
      [<CommonParameters>]

Update-MgBetaIdentityConditionalAccessPolicy
      -ConditionalAccessPolicyId <String>
      -BodyParameter <IMicrosoftGraphConditionalAccessPolicy>
      [-ResponseHeadersVariable <String>]
      [-Headers <IDictionary>]
      [-ProgressAction <ActionPreference>]
      [-WhatIf]
      [-Confirm]
      [<CommonParameters>]

Update-MgBetaIdentityConditionalAccessPolicy
      -InputObject <IIdentitySignInsIdentity>
      [-ResponseHeadersVariable <String>]
      [-AdditionalProperties <Hashtable>]
      [-Conditions <IMicrosoftGraphConditionalAccessConditionSet>]
      [-CreatedDateTime <DateTime>]
      [-Description <String>]
      [-DisplayName <String>]
      [-GrantControls <IMicrosoftGraphConditionalAccessGrantControls>]
      [-Id <String>]
      [-ModifiedDateTime <DateTime>]
      [-SessionControls <IMicrosoftGraphConditionalAccessSessionControls>]
      [-State <String>]
      [-Headers <IDictionary>]
      [-ProgressAction <ActionPreference>]
      [-WhatIf]
      [-Confirm]
      [<CommonParameters>]

Update-MgBetaIdentityConditionalAccessPolicy
      -InputObject <IIdentitySignInsIdentity>
      -BodyParameter <IMicrosoftGraphConditionalAccessPolicy>
      [-ResponseHeadersVariable <String>]
      [-Headers <IDictionary>]
      [-ProgressAction <ActionPreference>]
      [-WhatIf]
      [-Confirm]
      [<CommonParameters>]

Description

Update the properties of a conditionalAccessPolicy object.

Permissions

Examples

Example 1: Add sign in risk levels to an existing conditional access policy

Connect-MgGraph -Scopes 'Policy.ReadWrite.ConditionalAccess'
  
$params = @{
  Conditions = @{
    SignInRiskLevels = @(
      "high"
      "medium"
      "low"
    )
  }
}

Update-MgBetaIdentityConditionalAccessPolicy -ConditionalAccessPolicyId '61c7530f-5c1d-44b2-a972-4ae658b7a9ac' -BodyParameter $params

This example updates and existing access policy to add the sign in risk levels.

Parameters

-AdditionalProperties

-BodyParameter

-ConditionalAccessPolicyId

-Conditions

-Confirm

-CreatedDateTime

-Description

-DisplayName

-GrantControls

-Headers

-Id

-InputObject

-ModifiedDateTime

-ProgressAction

-ResponseHeadersVariable

-SessionControls

-State

-WhatIf

Inputs

Microsoft.Graph.Beta.PowerShell.Models.IIdentitySignInsIdentity

Microsoft.Graph.Beta.PowerShell.Models.IMicrosoftGraphConditionalAccessPolicy

System.Collections.IDictionary

Outputs

Microsoft.Graph.Beta.PowerShell.Models.IMicrosoftGraphConditionalAccessPolicy

Notes

COMPLEX PARAMETER PROPERTIES

To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables.

BODYPARAMETER <IMicrosoftGraphConditionalAccessPolicy>: conditionalAccessPolicy

• [(Any) <Object>]: This indicates any property can be added to this object.
• [Id <String>]: The unique identifier for an entity. Read-only.
• [Conditions <IMicrosoftGraphConditionalAccessConditionSet>]: conditionalAccessConditionSet
  • [(Any) <Object>]: This indicates any property can be added to this object.
  • [Applications <IMicrosoftGraphConditionalAccessApplications>]: conditionalAccessApplications
    • [(Any) <Object>]: This indicates any property can be added to this object.
    • [ApplicationFilter <IMicrosoftGraphConditionalAccessFilter>]: conditionalAccessFilter
      • [(Any) <Object>]: This indicates any property can be added to this object.
      • [Mode <String>]: filterMode
      • [Rule <String>]: Rule syntax is similar to that used for membership rules for groups in Microsoft Entra ID. For details, see rules with multiple expressions
    • [ExcludeApplications <String- []>]: Can be one of the following: The list of client IDs (appId) explicitly excluded from the policy. Office365 - For the list of apps included in Office365, see Apps included in Conditional Access Office 365 app suite MicrosoftAdminPortals - For more information, see Conditional Access Target resources: Microsoft Admin Portals
    • [IncludeApplications <String- []>]: Can be one of the following: The list of client IDs (appId) the policy applies to, unless explicitly excluded (in excludeApplications) All Office365 - For the list of apps included in Office365, see Apps included in Conditional Access Office 365 app suite MicrosoftAdminPortals - For more information, see Conditional Access Target resources: Microsoft Admin Portals
    • [IncludeAuthenticationContextClassReferences <String- []>]: Authentication context class references include. Supported values are c1 through c25.
    • [IncludeUserActions <String- []>]: User actions to include. Supported values are urn:user:registersecurityinfo and urn:user:registerdevice
  • [AuthenticationFlows <IMicrosoftGraphConditionalAccessAuthenticationFlows>]: conditionalAccessAuthenticationFlows
    • [(Any) <Object>]: This indicates any property can be added to this object.
    • [TransferMethods <String>]: conditionalAccessTransferMethods
  • [ClientAppTypes <String- []>]: Client application types included in the policy. Possible values are: all, browser, mobileAppsAndDesktopClients, exchangeActiveSync, easSupported, other. Required. The easUnsupported enumeration member is deprecated in favor of exchangeActiveSync, which includes EAS supported and unsupported platforms.
  • [ClientApplications <IMicrosoftGraphConditionalAccessClientApplications>]: conditionalAccessClientApplications
    • [(Any) <Object>]: This indicates any property can be added to this object.
    • [ExcludeServicePrincipals <String- []>]: Service principal IDs excluded from the policy scope.
    • [IncludeServicePrincipals <String- []>]: Service principal IDs included in the policy scope, or ServicePrincipalsInMyTenant.
    • [ServicePrincipalFilter <IMicrosoftGraphConditionalAccessFilter>]: conditionalAccessFilter
  • [DeviceStates <IMicrosoftGraphConditionalAccessDeviceStates>]: conditionalAccessDeviceStates
    • [(Any) <Object>]: This indicates any property can be added to this object.
    • [ExcludeStates <String- []>]: States excluded from the scope of the policy. Possible values: Compliant, DomainJoined.
    • [IncludeStates <String- []>]: States in the scope of the policy. All is the only allowed value.
  • [Devices <IMicrosoftGraphConditionalAccessDevices>]: conditionalAccessDevices
    • [(Any) <Object>]: This indicates any property can be added to this object.
    • [DeviceFilter <IMicrosoftGraphConditionalAccessFilter>]: conditionalAccessFilter
    • [ExcludeDeviceStates <String- []>]: States excluded from the scope of the policy. Possible values: Compliant, DomainJoined.
    • [ExcludeDevices <String- []>]: States excluded from the scope of the policy. Possible values: Compliant, DomainJoined. Cannot be set if deviceFIlter is set.
    • [IncludeDeviceStates <String- []>]: States in the scope of the policy. All is the only allowed value.
    • [IncludeDevices <String- []>]: States in the scope of the policy. All is the only allowed value. Cannot be set if deviceFilter is set.
  • [InsiderRiskLevels <String>]: conditionalAccessInsiderRiskLevels
  • [Locations <IMicrosoftGraphConditionalAccessLocations>]: conditionalAccessLocations
    • [(Any) <Object>]: This indicates any property can be added to this object.
    • [ExcludeLocations <String- []>]: Location IDs excluded from scope of policy.
    • [IncludeLocations <String- []>]: Location IDs in scope of policy unless explicitly excluded, All, or AllTrusted.
  • [Platforms <IMicrosoftGraphConditionalAccessPlatforms>]: conditionalAccessPlatforms
    • [(Any) <Object>]: This indicates any property can be added to this object.
    • [ExcludePlatforms <String- []>]: Possible values are: android, iOS, windows, windowsPhone, macOS, all, unknownFutureValue, linux.
    • [IncludePlatforms <String- []>]: Possible values are: android, iOS, windows, windowsPhone, macOS, all, unknownFutureValue,linux.
  • [ServicePrincipalRiskLevels <String- []>]: Service principal risk levels included in the policy. Possible values are: low, medium, high, none, unknownFutureValue.
  • [SignInRiskLevels <String- []>]: Sign-in risk levels included in the policy. Possible values are: low, medium, high, hidden, none, unknownFutureValue. Required.
  • [UserRiskLevels <String- []>]: User risk levels included in the policy. Possible values are: low, medium, high, hidden, none, unknownFutureValue. Required.
  • [Users <IMicrosoftGraphConditionalAccessUsers>]: conditionalAccessUsers
    • [(Any) <Object>]: This indicates any property can be added to this object.
    • [ExcludeGroups <String- []>]: Group IDs excluded from scope of policy.
    • [ExcludeGuestsOrExternalUsers <IMicrosoftGraphConditionalAccessGuestsOrExternalUsers>]: conditionalAccessGuestsOrExternalUsers
      • [(Any) <Object>]: This indicates any property can be added to this object.
      • [ExternalTenants <IMicrosoftGraphConditionalAccessExternalTenants>]: conditionalAccessExternalTenants
        • [(Any) <Object>]: This indicates any property can be added to this object.
        • [MembershipKind <String>]: conditionalAccessExternalTenantsMembershipKind
      • [GuestOrExternalUserTypes <String>]: conditionalAccessGuestOrExternalUserTypes
    • [ExcludeRoles <String- []>]: Role IDs excluded from scope of policy.
    • [ExcludeUsers <String- []>]: User IDs excluded from scope of policy and/or GuestsOrExternalUsers.
    • [IncludeGroups <String- []>]: Group IDs in scope of policy unless explicitly excluded.
    • [IncludeGuestsOrExternalUsers <IMicrosoftGraphConditionalAccessGuestsOrExternalUsers>]: conditionalAccessGuestsOrExternalUsers
    • [IncludeRoles <String- []>]: Role IDs in scope of policy unless explicitly excluded.
    • [IncludeUsers <String- []>]: User IDs in scope of policy unless explicitly excluded, None, All, or GuestsOrExternalUsers.
• [CreatedDateTime <DateTime?>]: The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Readonly.
• [Description <String>]: Not used.
• [DisplayName <String>]: Specifies a display name for the conditionalAccessPolicy object.
• [GrantControls <IMicrosoftGraphConditionalAccessGrantControls>]: conditionalAccessGrantControls
  • [(Any) <Object>]: This indicates any property can be added to this object.
  • [AuthenticationStrength <IMicrosoftGraphAuthenticationStrengthPolicy>]: authenticationStrengthPolicy
    • [(Any) <Object>]: This indicates any property can be added to this object.
    • [Id <String>]: The unique identifier for an entity. Read-only.
    • [AllowedCombinations <String- []>]: A collection of authentication method modes that are required be used to satify this authentication strength.
    • [CombinationConfigurations <IMicrosoftGraphAuthenticationCombinationConfiguration- []>]: Settings that may be used to require specific types or instances of an authentication method to be used when authenticating with a specified combination of authentication methods.
      • [Id <String>]: The unique identifier for an entity. Read-only.
      • [AppliesToCombinations <String- []>]: Which authentication method combinations this configuration applies to. Must be an allowedCombinations object defined for the authenticationStrengthPolicy. For fido2combinationConfigurations use 'fido2', for x509certificatecombinationconfiguration use 'x509CertificateSingleFactor' or 'x509CertificateMultiFactor'.
    • [CreatedDateTime <DateTime?>]: The datetime when this policy was created.
    • [Description <String>]: The human-readable description of this policy.
    • [DisplayName <String>]: The human-readable display name of this policy. Supports $filter (eq, ne, not , and in).
    • [ModifiedDateTime <DateTime?>]: The datetime when this policy was last modified.
    • [PolicyType <String>]: authenticationStrengthPolicyType
    • [RequirementsSatisfied <String>]: authenticationStrengthRequirements
  • [BuiltInControls <String- []>]: List of values of built-in controls required by the policy. Possible values: block, mfa, compliantDevice, domainJoinedDevice, approvedApplication, compliantApplication, passwordChange, unknownFutureValue.
  • [CustomAuthenticationFactors <String- []>]: List of custom controls IDs required by the policy. To learn more about custom control, see Custom controls (preview).
  • [Operator <String>]: Defines the relationship of the grant controls. Possible values: AND, OR.
  • [TermsOfUse <String- []>]: List of terms of use IDs required by the policy.
• [ModifiedDateTime <DateTime?>]: The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Readonly.
• [SessionControls <IMicrosoftGraphConditionalAccessSessionControls>]: conditionalAccessSessionControls
  • [(Any) <Object>]: This indicates any property can be added to this object.
  • [ApplicationEnforcedRestrictions <IMicrosoftGraphApplicationEnforcedRestrictionsSessionControl>]: applicationEnforcedRestrictionsSessionControl
    • [(Any) <Object>]: This indicates any property can be added to this object.
    • [IsEnabled <Boolean?>]: Specifies whether the session control is enabled.
  • [CloudAppSecurity <IMicrosoftGraphCloudAppSecuritySessionControl>]: cloudAppSecuritySessionControl
    • [(Any) <Object>]: This indicates any property can be added to this object.
    • [IsEnabled <Boolean?>]: Specifies whether the session control is enabled.
    • [CloudAppSecurityType <String>]: cloudAppSecuritySessionControlType
  • [ContinuousAccessEvaluation <IMicrosoftGraphContinuousAccessEvaluationSessionControl>]: continuousAccessEvaluationSessionControl
    • [(Any) <Object>]: This indicates any property can be added to this object.
    • [Mode <String>]: continuousAccessEvaluationMode
  • [DisableResilienceDefaults <Boolean?>]: Session control that determines whether it's acceptable for Microsoft Entra ID to extend existing sessions based on information collected prior to an outage or not.
  • [PersistentBrowser <IMicrosoftGraphPersistentBrowserSessionControl>]: persistentBrowserSessionControl
    • [(Any) <Object>]: This indicates any property can be added to this object.
    • [IsEnabled <Boolean?>]: Specifies whether the session control is enabled.
    • [Mode <String>]: persistentBrowserSessionMode
  • [SecureSignInSession <IMicrosoftGraphSecureSignInSessionControl>]: secureSignInSessionControl
    • [(Any) <Object>]: This indicates any property can be added to this object.
    • [IsEnabled <Boolean?>]: Specifies whether the session control is enabled.
  • [SignInFrequency <IMicrosoftGraphSignInFrequencySessionControl>]: signInFrequencySessionControl
    • [(Any) <Object>]: This indicates any property can be added to this object.
    • [IsEnabled <Boolean?>]: Specifies whether the session control is enabled.
    • [AuthenticationType <String>]: signInFrequencyAuthenticationType
    • [FrequencyInterval <String>]: signInFrequencyInterval
    • [Type <String>]: signinFrequencyType
    • [Value <Int32?>]: The number of days or hours.
• [State <String>]: conditionalAccessPolicyState

CONDITIONS <IMicrosoftGraphConditionalAccessConditionSet>: conditionalAccessConditionSet

• [(Any) <Object>]: This indicates any property can be added to this object.
• [Applications <IMicrosoftGraphConditionalAccessApplications>]: conditionalAccessApplications
  • [(Any) <Object>]: This indicates any property can be added to this object.
  • [ApplicationFilter <IMicrosoftGraphConditionalAccessFilter>]: conditionalAccessFilter
    • [(Any) <Object>]: This indicates any property can be added to this object.
    • [Mode <String>]: filterMode
    • [Rule <String>]: Rule syntax is similar to that used for membership rules for groups in Microsoft Entra ID. For details, see rules with multiple expressions
  • [ExcludeApplications <String- []>]: Can be one of the following: The list of client IDs (appId) explicitly excluded from the policy. Office365 - For the list of apps included in Office365, see Apps included in Conditional Access Office 365 app suite MicrosoftAdminPortals - For more information, see Conditional Access Target resources: Microsoft Admin Portals
  • [IncludeApplications <String- []>]: Can be one of the following: The list of client IDs (appId) the policy applies to, unless explicitly excluded (in excludeApplications) All Office365 - For the list of apps included in Office365, see Apps included in Conditional Access Office 365 app suite MicrosoftAdminPortals - For more information, see Conditional Access Target resources: Microsoft Admin Portals
  • [IncludeAuthenticationContextClassReferences <String- []>]: Authentication context class references include. Supported values are c1 through c25.
  • [IncludeUserActions <String- []>]: User actions to include. Supported values are urn:user:registersecurityinfo and urn:user:registerdevice
• [AuthenticationFlows <IMicrosoftGraphConditionalAccessAuthenticationFlows>]: conditionalAccessAuthenticationFlows
  • [(Any) <Object>]: This indicates any property can be added to this object.
  • [TransferMethods <String>]: conditionalAccessTransferMethods
• [ClientAppTypes <String- []>]: Client application types included in the policy. Possible values are: all, browser, mobileAppsAndDesktopClients, exchangeActiveSync, easSupported, other. Required. The easUnsupported enumeration member is deprecated in favor of exchangeActiveSync, which includes EAS supported and unsupported platforms.
• [ClientApplications <IMicrosoftGraphConditionalAccessClientApplications>]: conditionalAccessClientApplications
  • [(Any) <Object>]: This indicates any property can be added to this object.
  • [ExcludeServicePrincipals <String- []>]: Service principal IDs excluded from the policy scope.
  • [IncludeServicePrincipals <String- []>]: Service principal IDs included in the policy scope, or ServicePrincipalsInMyTenant.
  • [ServicePrincipalFilter <IMicrosoftGraphConditionalAccessFilter>]: conditionalAccessFilter
• [DeviceStates <IMicrosoftGraphConditionalAccessDeviceStates>]: conditionalAccessDeviceStates
  • [(Any) <Object>]: This indicates any property can be added to this object.
  • [ExcludeStates <String- []>]: States excluded from the scope of the policy. Possible values: Compliant, DomainJoined.
  • [IncludeStates <String- []>]: States in the scope of the policy. All is the only allowed value.
• [Devices <IMicrosoftGraphConditionalAccessDevices>]: conditionalAccessDevices
  • [(Any) <Object>]: This indicates any property can be added to this object.
  • [DeviceFilter <IMicrosoftGraphConditionalAccessFilter>]: conditionalAccessFilter
  • [ExcludeDeviceStates <String- []>]: States excluded from the scope of the policy. Possible values: Compliant, DomainJoined.
  • [ExcludeDevices <String- []>]: States excluded from the scope of the policy. Possible values: Compliant, DomainJoined. Cannot be set if deviceFIlter is set.
  • [IncludeDeviceStates <String- []>]: States in the scope of the policy. All is the only allowed value.
  • [IncludeDevices <String- []>]: States in the scope of the policy. All is the only allowed value. Cannot be set if deviceFilter is set.
• [InsiderRiskLevels <String>]: conditionalAccessInsiderRiskLevels
• [Locations <IMicrosoftGraphConditionalAccessLocations>]: conditionalAccessLocations
  • [(Any) <Object>]: This indicates any property can be added to this object.
  • [ExcludeLocations <String- []>]: Location IDs excluded from scope of policy.
  • [IncludeLocations <String- []>]: Location IDs in scope of policy unless explicitly excluded, All, or AllTrusted.
• [Platforms <IMicrosoftGraphConditionalAccessPlatforms>]: conditionalAccessPlatforms
  • [(Any) <Object>]: This indicates any property can be added to this object.
  • [ExcludePlatforms <String- []>]: Possible values are: android, iOS, windows, windowsPhone, macOS, all, unknownFutureValue, linux.
  • [IncludePlatforms <String- []>]: Possible values are: android, iOS, windows, windowsPhone, macOS, all, unknownFutureValue,linux.
• [ServicePrincipalRiskLevels <String- []>]: Service principal risk levels included in the policy. Possible values are: low, medium, high, none, unknownFutureValue.
• [SignInRiskLevels <String- []>]: Sign-in risk levels included in the policy. Possible values are: low, medium, high, hidden, none, unknownFutureValue. Required.
• [UserRiskLevels <String- []>]: User risk levels included in the policy. Possible values are: low, medium, high, hidden, none, unknownFutureValue. Required.
• [Users <IMicrosoftGraphConditionalAccessUsers>]: conditionalAccessUsers
  • [(Any) <Object>]: This indicates any property can be added to this object.
  • [ExcludeGroups <String- []>]: Group IDs excluded from scope of policy.
  • [ExcludeGuestsOrExternalUsers <IMicrosoftGraphConditionalAccessGuestsOrExternalUsers>]: conditionalAccessGuestsOrExternalUsers
    • [(Any) <Object>]: This indicates any property can be added to this object.
    • [ExternalTenants <IMicrosoftGraphConditionalAccessExternalTenants>]: conditionalAccessExternalTenants
      • [(Any) <Object>]: This indicates any property can be added to this object.
      • [MembershipKind <String>]: conditionalAccessExternalTenantsMembershipKind
    • [GuestOrExternalUserTypes <String>]: conditionalAccessGuestOrExternalUserTypes
  • [ExcludeRoles <String- []>]: Role IDs excluded from scope of policy.
  • [ExcludeUsers <String- []>]: User IDs excluded from scope of policy and/or GuestsOrExternalUsers.
  • [IncludeGroups <String- []>]: Group IDs in scope of policy unless explicitly excluded.
  • [IncludeGuestsOrExternalUsers <IMicrosoftGraphConditionalAccessGuestsOrExternalUsers>]: conditionalAccessGuestsOrExternalUsers
  • [IncludeRoles <String- []>]: Role IDs in scope of policy unless explicitly excluded.
  • [IncludeUsers <String- []>]: User IDs in scope of policy unless explicitly excluded, None, All, or GuestsOrExternalUsers.

GRANTCONTROLS <IMicrosoftGraphConditionalAccessGrantControls>: conditionalAccessGrantControls

• [(Any) <Object>]: This indicates any property can be added to this object.
• [AuthenticationStrength <IMicrosoftGraphAuthenticationStrengthPolicy>]: authenticationStrengthPolicy
  • [(Any) <Object>]: This indicates any property can be added to this object.
  • [Id <String>]: The unique identifier for an entity. Read-only.
  • [AllowedCombinations <String- []>]: A collection of authentication method modes that are required be used to satify this authentication strength.
  • [CombinationConfigurations <IMicrosoftGraphAuthenticationCombinationConfiguration- []>]: Settings that may be used to require specific types or instances of an authentication method to be used when authenticating with a specified combination of authentication methods.
    • [Id <String>]: The unique identifier for an entity. Read-only.
    • [AppliesToCombinations <String- []>]: Which authentication method combinations this configuration applies to. Must be an allowedCombinations object defined for the authenticationStrengthPolicy. For fido2combinationConfigurations use 'fido2', for x509certificatecombinationconfiguration use 'x509CertificateSingleFactor' or 'x509CertificateMultiFactor'.
  • [CreatedDateTime <DateTime?>]: The datetime when this policy was created.
  • [Description <String>]: The human-readable description of this policy.
  • [DisplayName <String>]: The human-readable display name of this policy. Supports $filter (eq, ne, not , and in).
  • [ModifiedDateTime <DateTime?>]: The datetime when this policy was last modified.
  • [PolicyType <String>]: authenticationStrengthPolicyType
  • [RequirementsSatisfied <String>]: authenticationStrengthRequirements
• [BuiltInControls <String- []>]: List of values of built-in controls required by the policy. Possible values: block, mfa, compliantDevice, domainJoinedDevice, approvedApplication, compliantApplication, passwordChange, unknownFutureValue.
• [CustomAuthenticationFactors <String- []>]: List of custom controls IDs required by the policy. To learn more about custom control, see Custom controls (preview).
• [Operator <String>]: Defines the relationship of the grant controls. Possible values: AND, OR.
• [TermsOfUse <String- []>]: List of terms of use IDs required by the policy.

INPUTOBJECT <IIdentitySignInsIdentity>: Identity Parameter

• [ActivityBasedTimeoutPolicyId <String>]: The unique identifier of activityBasedTimeoutPolicy
• [AppManagementPolicyId <String>]: The unique identifier of appManagementPolicy
• [AuthenticationCombinationConfigurationId <String>]: The unique identifier of authenticationCombinationConfiguration
• [AuthenticationConditionApplicationAppId <String>]: The unique identifier of authenticationConditionApplication
• [AuthenticationContextClassReferenceId <String>]: The unique identifier of authenticationContextClassReference
• [AuthenticationEventListenerId <String>]: The unique identifier of authenticationEventListener
• [AuthenticationEventsFlowId <String>]: The unique identifier of authenticationEventsFlow
• [AuthenticationMethodConfigurationId <String>]: The unique identifier of authenticationMethodConfiguration
• [AuthenticationMethodId <String>]: The unique identifier of authenticationMethod
• [AuthenticationMethodModeDetailId <String>]: The unique identifier of authenticationMethodModeDetail
• [AuthenticationMethodModes <String- []>]: Usage: authenticationMethodModes={authenticationMethodModes}
• [AuthenticationStrengthPolicyId <String>]: The unique identifier of authenticationStrengthPolicy
• [AuthorizationPolicyId <String>]: The unique identifier of authorizationPolicy
• [B2CIdentityUserFlowId <String>]: The unique identifier of b2cIdentityUserFlow
• [B2XIdentityUserFlowId <String>]: The unique identifier of b2xIdentityUserFlow
• [BitlockerRecoveryKeyId <String>]: The unique identifier of bitlockerRecoveryKey
• [CertificateBasedAuthConfigurationId <String>]: The unique identifier of certificateBasedAuthConfiguration
• [ClaimsMappingPolicyId <String>]: The unique identifier of claimsMappingPolicy
• [ConditionalAccessPolicyId <String>]: The unique identifier of conditionalAccessPolicy
• [ConditionalAccessTemplateId <String>]: The unique identifier of conditionalAccessTemplate
• [CrossTenantAccessPolicyConfigurationPartnerTenantId <String>]: The unique identifier of crossTenantAccessPolicyConfigurationPartner
• [CustomAuthenticationExtensionId <String>]: The unique identifier of customAuthenticationExtension
• [DataLossPreventionPolicyId <String>]: The unique identifier of dataLossPreventionPolicy
• [DataPolicyOperationId <String>]: The unique identifier of dataPolicyOperation
• [DefaultUserRoleOverrideId <String>]: The unique identifier of defaultUserRoleOverride
• [DirectoryObjectId <String>]: The unique identifier of directoryObject
• [EmailAuthenticationMethodId <String>]: The unique identifier of emailAuthenticationMethod
• [FeatureRolloutPolicyId <String>]: The unique identifier of featureRolloutPolicy
• [Fido2AuthenticationMethodId <String>]: The unique identifier of fido2AuthenticationMethod
• [GroupId <String>]: The unique identifier of group
• [HomeRealmDiscoveryPolicyId <String>]: The unique identifier of homeRealmDiscoveryPolicy
• [IdentityApiConnectorId <String>]: The unique identifier of identityApiConnector
• [IdentityProviderBaseId <String>]: The unique identifier of identityProviderBase
• [IdentityProviderId <String>]: The unique identifier of identityProvider
• [IdentityUserFlowAttributeAssignmentId <String>]: The unique identifier of identityUserFlowAttributeAssignment
• [IdentityUserFlowAttributeId <String>]: The unique identifier of identityUserFlowAttribute
• [IdentityUserFlowId <String>]: The unique identifier of identityUserFlow
• [InformationProtectionLabelId <String>]: The unique identifier of informationProtectionLabel
• [LongRunningOperationId <String>]: The unique identifier of longRunningOperation
• [MicrosoftAuthenticatorAuthenticationMethodId <String>]: The unique identifier of microsoftAuthenticatorAuthenticationMethod
• [MobilityManagementPolicyId <String>]: The unique identifier of mobilityManagementPolicy
• [MultiTenantOrganizationMemberId <String>]: The unique identifier of multiTenantOrganizationMember
• [NamedLocationId <String>]: The unique identifier of namedLocation
• [OAuth2PermissionGrantId <String>]: The unique identifier of oAuth2PermissionGrant
• [OrganizationId <String>]: The unique identifier of organization
• [PasswordAuthenticationMethodId <String>]: The unique identifier of passwordAuthenticationMethod
• [PasswordlessMicrosoftAuthenticatorAuthenticationMethodId <String>]: The unique identifier of passwordlessMicrosoftAuthenticatorAuthenticationMethod
• [PermissionGrantConditionSetId <String>]: The unique identifier of permissionGrantConditionSet
• [PermissionGrantPolicyId <String>]: The unique identifier of permissionGrantPolicy
• [PermissionGrantPreApprovalPolicyId <String>]: The unique identifier of permissionGrantPreApprovalPolicy
• [PhoneAuthenticationMethodId <String>]: The unique identifier of phoneAuthenticationMethod
• [PlatformCredentialAuthenticationMethodId <String>]: The unique identifier of platformCredentialAuthenticationMethod
• [RiskDetectionId <String>]: The unique identifier of riskDetection
• [RiskyServicePrincipalHistoryItemId <String>]: The unique identifier of riskyServicePrincipalHistoryItem
• [RiskyServicePrincipalId <String>]: The unique identifier of riskyServicePrincipal
• [RiskyUserHistoryItemId <String>]: The unique identifier of riskyUserHistoryItem
• [RiskyUserId <String>]: The unique identifier of riskyUser
• [SensitivityLabelId <String>]: The unique identifier of sensitivityLabel
• [SensitivityLabelId1 <String>]: The unique identifier of sensitivityLabel
• [ServicePrincipalCreationConditionSetId <String>]: The unique identifier of servicePrincipalCreationConditionSet
• [ServicePrincipalCreationPolicyId <String>]: The unique identifier of servicePrincipalCreationPolicy
• [ServicePrincipalRiskDetectionId <String>]: The unique identifier of servicePrincipalRiskDetection
• [SoftwareOathAuthenticationMethodId <String>]: The unique identifier of softwareOathAuthenticationMethod
• [TemporaryAccessPassAuthenticationMethodId <String>]: The unique identifier of temporaryAccessPassAuthenticationMethod
• [ThreatAssessmentRequestId <String>]: The unique identifier of threatAssessmentRequest
• [ThreatAssessmentResultId <String>]: The unique identifier of threatAssessmentResult
• [TokenIssuancePolicyId <String>]: The unique identifier of tokenIssuancePolicy
• [TokenLifetimePolicyId <String>]: The unique identifier of tokenLifetimePolicy
• [TrustFrameworkKeySetId <String>]: The unique identifier of trustFrameworkKeySet
• [TrustFrameworkKeyV2Kid <String>]: The unique identifier of trustFrameworkKey_v2
• [TrustFrameworkPolicyId <String>]: The unique identifier of trustFrameworkPolicy
• [UnifiedRoleManagementPolicyAssignmentId <String>]: The unique identifier of unifiedRoleManagementPolicyAssignment
• [UnifiedRoleManagementPolicyId <String>]: The unique identifier of unifiedRoleManagementPolicy
• [UnifiedRoleManagementPolicyRuleId <String>]: The unique identifier of unifiedRoleManagementPolicyRule
• [UserFlowLanguageConfigurationId <String>]: The unique identifier of userFlowLanguageConfiguration
• [UserFlowLanguagePageId <String>]: The unique identifier of userFlowLanguagePage
• [UserId <String>]: The unique identifier of user
• [WindowsHelloForBusinessAuthenticationMethodId <String>]: The unique identifier of windowsHelloForBusinessAuthenticationMethod

SESSIONCONTROLS <IMicrosoftGraphConditionalAccessSessionControls>: conditionalAccessSessionControls

• [(Any) <Object>]: This indicates any property can be added to this object.
• [ApplicationEnforcedRestrictions <IMicrosoftGraphApplicationEnforcedRestrictionsSessionControl>]: applicationEnforcedRestrictionsSessionControl
  • [(Any) <Object>]: This indicates any property can be added to this object.
  • [IsEnabled <Boolean?>]: Specifies whether the session control is enabled.
• [CloudAppSecurity <IMicrosoftGraphCloudAppSecuritySessionControl>]: cloudAppSecuritySessionControl
  • [(Any) <Object>]: This indicates any property can be added to this object.
  • [IsEnabled <Boolean?>]: Specifies whether the session control is enabled.
  • [CloudAppSecurityType <String>]: cloudAppSecuritySessionControlType
• [ContinuousAccessEvaluation <IMicrosoftGraphContinuousAccessEvaluationSessionControl>]: continuousAccessEvaluationSessionControl
  • [(Any) <Object>]: This indicates any property can be added to this object.
  • [Mode <String>]: continuousAccessEvaluationMode
• [DisableResilienceDefaults <Boolean?>]: Session control that determines whether it's acceptable for Microsoft Entra ID to extend existing sessions based on information collected prior to an outage or not.
• [PersistentBrowser <IMicrosoftGraphPersistentBrowserSessionControl>]: persistentBrowserSessionControl
  • [(Any) <Object>]: This indicates any property can be added to this object.
  • [IsEnabled <Boolean?>]: Specifies whether the session control is enabled.
  • [Mode <String>]: persistentBrowserSessionMode
• [SecureSignInSession <IMicrosoftGraphSecureSignInSessionControl>]: secureSignInSessionControl
  • [(Any) <Object>]: This indicates any property can be added to this object.
  • [IsEnabled <Boolean?>]: Specifies whether the session control is enabled.
• [SignInFrequency <IMicrosoftGraphSignInFrequencySessionControl>]: signInFrequencySessionControl
  • [(Any) <Object>]: This indicates any property can be added to this object.
  • [IsEnabled <Boolean?>]: Specifies whether the session control is enabled.
  • [AuthenticationType <String>]: signInFrequencyAuthenticationType
  • [FrequencyInterval <String>]: signInFrequencyInterval
  • [Type <String>]: signinFrequencyType
  • [Value <Int32?>]: The number of days or hours.

RELATED LINKS

https://video2.skills-academy.com/powershell/module/microsoft.graph.beta.identity.signins/update-mgbetaidentityconditionalaccesspolicy

https://video2.skills-academy.com/graph/api/conditionalaccesspolicy-update?view=graph-rest-beta