WPNinjas HeaderWPNinjas Header

Automatic Azure AD Conditional Access Documentation

Creating configuration documentations is always hassle. Therefore, I extended the Intune documentation with a new option to also document Azure AD Conditional Access policies.

The new function Invoke-ConditionalAccessDocumentation will document:

  • Azure AD Conditional Access Policies
  • Translate referenced id’s to real object names (users, groups, roles and applications)

Important: The Conditional Access Policy Documentation does not support login with interactive credentials. It’s required to create a custom app which can be done by calling ‘New-IntuneDocumentationAppRegistration’. I recommend saving the result in a password vault and always using the same client secret.

With the -TokenLifetimeDays parameter you can define how many days the client secret will be valid. If you need a new secret, just execute the function again:

$clientCreds = New-IntuneDocumentationAppRegistration -TokenLifetimeDays 5

As soon you have your client credentials you can start the generation by executing the following command. You can also directly specify the parameters by using saved values from your password vault.

Invoke-ConditionalAccessDocumentation -FullDocumentationPath c:\temp\CADoc.docx -ClientId $clientCreds.ClientId -Tenant $clientCreds.TenantId -ClientSecret $clientCreds.ClientSecret


The result is that you will get not only a Word based documentation which looks like the Intune documentation, but you will also get a CSV file which helps to get a good overview about all your policies and helps to detect errors or unprotected use cases.

Follow me


Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.