Author: Daniel Chronlund

Daniel is a Microsoft Security MVP, Microsoft 365 security expert, blogger and consultant at Truesec, based in Sweden.

How To Deploy a Complete Entra ID Conditional Access PoC in Under 5 Minutes

This is by far the most substantial time saving tool I’ve ever shared with the community. From my many years of working with Conditional Access deployments, baselines, and automation tools, I wanted to package all that knowledge, experience, and best-practices, in a singel fully automated PowerShell tool.

I give you Deploy-DCConditionalAccessBaselinePoC 🙌

With Deploy-DCConditionalAccessBaselinePoC in DCToolbox you can deploy a complete Conditional Access proof-of-concept design in your organisation within minutes. All you have to do is to install/update DCToolbox and run the command. It will take care of all dependencies for you. You just sit back and watch the magic happen. The result is a fully functional Conditional Access design in report-only mode based on my battle-proven Conditional Access policy design baseline that’s been protecting hundreds of thousands of users for over 4 years now.

This is what the tool does:

  • Installs Microsoft Graph PowerShell module (if you don’t already have it installed).
  • Connects to Microsoft Graph (you must run the tool as a Global Admin so you can consent to the required permissions during authentication).
  • Creates a break glass exclude group (protected by the ‘role-assignable’ attribute) and adds your current account as a member to that group.
  • Creates a service account group for non-human accounts.
  • Creates a named location for your corporate IP addresses (it automatically adds your current public IP address to the list).
  • Creates a named location for allowed countries (I added some countries that I tend to work in as examples).
  • Uploads a Terms of Use template in English.
  • Deploys my Conditional Access policy design baseline from https://danielchronlund.com to your tenant in report-only mode.

The tool can also perform som advanced actions if you specify parameters (see the included PowerShell help for details):

  • You can use your existing groups, named locations and terms of use you already have in your tenant.
  • Skip deployment of policies in the baseline that you don’t want to include (like Identity Protection policies if you’re lacking licenses for that).
  • Skip the report mode and deploy straight in to production mode. WARNING: Use this specific feature with caution since ALL POLICIES will go live for ALL USERS when you specify this. This is only intended for lab tenants.

For details of the resulting policy design, see the explanation for each policy on the baseline page.

Note: This tool requires PowerShell version 7 to run.

Deploy a Complete Entra ID Conditional Access PoC:

# Install update DCToolbox (requires at least version 2.0.4):
Install-Module -Name DCToolbox -Force
# Deploy a Complete Entra ID Conditional Access PoC:
Deploy-DCConditionalAccessBaselinePoC

Example Output:

And that’s it! This is what you’ll get, along with groups, named locations and terms of use:

Since the policies are deployed in report-only mode (except for Device Compliant which doesn’t support report-only mode) you can use the sign-ins log and other tools to evaluate the PoC. You can then start to enable policies one-by-one when you are ready. It can’t get much easier than this 🙂

I hope this tool will save you as much time as it has for me!

Please follow me here, on LinkedIn, and on X!

@DanielChronlund