Update

For the latest version of this code please visit msgraph-sdk-powershell-examples.

Deprecated Content

An Azure AD Conditional Access Policy for Internals to use a joined device or be in a trusted location to perform Registration of Security Information.

Suggested name:
CA2{XX}-Internals-IdentityProtection-RegisterSecurityInfo-BYODOrUntrustedLocation-MFA

Assignments

Users

Users and groups  
Include users CA-Persona-Internals
Exclude users Break-glass (emergency access) accounts

Cloud apps or actions

User actions
Register security information

Conditions

Locations  
Include Any location
Exclude All trusted locations
Filter for devices  
Exclude device.trustType -eq “AzureAD” -or device.trustType -eq “ServerAD”

Access controls

Grant access  
Require Multifactor authentication

User Experience

BYOD in an Untrusted Location

styled-image styled-image

References

https://learn.microsoft.com/en-us/azure/architecture/guide/security/conditional-access-architecture https://learn.microsoft.com/en-us/azure/architecture/guide/security/conditional-access-framework https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-policy-common