ConditionalAccessIQ Module: Enhancing Conditional Access Policy Oversight in Entra ID
ConditionalAccessIQ Overview
Maintaining visibility into changes made to Microsoft Entra Conditional Access policies can be challenging for Identity and Access Management (IAM) professionals. Even in Entra ID, figuring out who changed a policy, what was modified, and when it happened often requires digging through audit logs, By default, Entra ID audit logs are retained for only 30 days, which makes long-term tracking and compliance auditing difficult without additional tools.
ConditionalAccessIQ is a PowerShell-based solution designed to address these challenges. It streamlines Conditional Access policy management by providing automatic version control, change tracking, and visual change comparisons for your Entra ID Conditional Access policies. In essence, ConditionalAccessIQ continuously monitors policy changes, maintains a historical archive of policy versions, and generates clear reports showing exactly what changed, when it changed, and who made the change. This empowers IAM professionals to quickly answer questions about policy modifications and to ensure no critical changes go unnoticed.
Key Features
ConditionalAccessIQ offers several key features that enhance the management of Conditional Access policies:
Version Control: Every change to a Conditional Access policy is automatically saved as a new version. The tool maintains a complete version history, including JSON snapshots of each policy state. These JSONs are not only saved - when running from a server - but are stored in and can be downloaded from the HTML report. This allows administrators to retain an audit trail of policy evolution and, if necessary, compare or revert to previous configurations. Automatic backups ensure that no change is lost and provide documentation for compliance purposes.
Change Visualization: The solution provides interactive HTML diff reports that make it easy to see exactly what changed between policy versions. Changes are displayed side-by-side (before vs. after). A timeline view shows when each change occurred. This visual representation simplifies understanding complex policy updates at a glance, without manually parsing JSON data.
Audit Tracking: ConditionalAccessIQ integrates with Entra ID’s audit logs to pull in details about who made each change and when. Each recorded change is tied to the identity (user or service principal) responsible, along with the timestamp from the audit log. In other words, the tool not only shows what changed but also captures the context of who performed the change, using the same data found in Entra’s audit log events. This provides accountability and makes review of administrative actions much easier than scouring raw logs.
Reporting and Notifications: ConditionalAccessIQ offers flexible reporting options to keep stakeholders informed. It can generate comprehensive HTML reports that are suitable for sharing or archiving, as well as machine-readable JSON exports for integration with other systems. For real-time awareness, the tool supports email notifications – for example, automatically emailing an IAM or security team with a report when changes are made, essentially creating an ongoing change log for Conditional Access policies.
By combining these features – version tracking, visual diffs, audit context, and reporting – ConditionalAccessIQ fills a visibility gap in Entra ID’s native capabilities.
Technical Implementation
Implementing ConditionalAccessIQ in your environment involves a few steps: installing the module, setting up authentication with Microsoft Graph, and configuring automation for continuous monitoring. The tool is deployed as a PowerShell module, making it straightforward for IAM professionals to install and run in familiar workflows.
Installation
ConditionalAccessIQ is available via the PowerShell Gallery. Installation is as simple as running the standard module install command in PowerShell:
# Install the ConditionalAccessIQ module from the PowerShell Gallery
Install-Module -Name ConditionalAccessIQ -Scope CurrentUser
# Import the module into your session
Import-Module ConditionalAccessIQ
This will download and import the module.
Authentication Setup
Because ConditionalAccessIQ queries Microsoft Graph for Conditional Access policies and audit logs, it requires appropriate authentication and permissions in Entra ID:
Interactive (Delegated) Authentication: For quick tests or ad-hoc usage, an administrator can sign in interactively. You’ll need to connect to Microsoft Graph with an account that has permission to read Conditional Access policies, directory objects, and audit logs. In practice, this means the account should have at least the Global Reader role (to cover all required read permissions) in addition delegated the necessary delegated permissions.
Connect-MgGraph -Scopes @(
"Policy.Read.All",
"AuditLog.Read.All",
"Directory.Read.All",
"Application.Read.All"
)
This will prompt you to sign in and consent to the read permissions for policies, audit logs, directory, and applications. Once connected, the module’s cmdlets can access Conditional Access policy data and change logs on your behalf.
App Registration (Client Credentials): For automation or service usage, it's recommended to set up a dedicated app registration in Entra ID for ConditionalAccessIQ. This method allows the tool to run without user interaction. The steps to configure this are:
Register an application in Entra ID (via Azure Portal or Entra admin center) and note the Client (Application) ID and Tenant ID. Configure it as a single-tenant app for your organization.
API Permissions: Grant the app Application permissions for the Microsoft Graph API:
Policy.Read.All,AuditLog.Read.All,Directory.Read.All, andApplication.Read.All. If you plan to use email features, also addMail.Send. After adding these permissions, an administrator must grant admin consent for them to take effect.
Client Secret or Certificate: Generate a client secret for the app, or upload a certificate, and save the credential securely. This will be used by the script to authenticate.
Connect using Client Credentials: Using the Graph PowerShell SDK, connect by supplying the app’s credentials. For example, using a client secret:
$clientId = "<Your-App-Id>"
$tenantId = "<Your-Tenant-Id>"
$clientSecret = "<Your-Client-Secret>" | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential ($clientId, $clientSecret)
Connect-MgGraph -ClientSecretCredential $creds -TenantId $tenantId
For certificate authentication, you would use
Connect-MgGraph -ClientId <AppID> -CertificateThumbprint <Thumbprint> -TenantId <TenantID>instead. Once this connection is established, the module runs under the app’s context. (Ensure the app is restricted as needed; for instance, ifMail.Sendis granted, you can and should limit it to a specific mailbox).
With either method, after authentication, you can invoke the module’s core cmdlet to scan for changes. The primary command is Invoke-CAIQ, which will query recent Conditional Access policy changes and produce the HTML/JSON reports. By default, running Invoke-CAIQ with no parameters will fetch changes from the last 24 hours and launch an interactive report of any differences found. You can also specify a date range (using -StartDate and -EndDate) to scan a longer period, or point the output to a specific directory/file name as needed (using -OutputPath or -FileName parameters).
Automation Recommendations
To maximize its effectiveness, ConditionalAccessIQ should be run on a regular schedule so that no changes are missed (given the 30-day limit of audit log data). Automation ensures the tool captures every policy update and maintains an up-to-date change log. Here are some best practices for automation:
Frequency: Running the tool daily is a common approach, as it aligns with the daily audit log cycle. This ensures even a change made over a weekend or off-hours is caught in the next report. In high-change environments, you might run it multiple times per day or adjust frequency as needed.
Scheduling: You can use Windows Task Scheduler on a management server to execute a PowerShell script that connects to Graph and calls
Invoke-CAIQ. For cloud-based execution, Azure Automation is an excellent option for scheduling a runbook that includes the ConditionalAccessIQ module, it is what I use.Email Alerts: As part of the scheduled script, consider using the provided
Send-CAIQMailMessagecmdlet to email the daily report to your security or IAM team. For example, after generating the report, the script can email it as an attachment or even embed the HTML content in the email body. This proactive notification turns ConditionalAccessIQ into an early-warning system for policy changes.
By automating the tool, you ensure that a permanent record of Conditional Access modifications is kept beyond the default log retention. It essentially creates a living documentation of your Conditional Access policies, which is invaluable for both troubleshooting and compliance.
Practical Use Cases
ConditionalAccessIQ provides real-world value in various Identity and Access Management scenarios. Here are a few ways organizations can leverage it:
Tracking Policy Changes and Misconfigurations: With version control and diffs, administrators can easily review what changed in a policy and roll back or adjust if something goes wrong. For example, if a recent modification inadvertently locked out a set of users or weakened a control, the tool’s report will pinpoint the exact changes (e.g. a condition added or removed) and who made them. This speeds up troubleshooting of access issues by quickly identifying if a Conditional Access change is the root cause. It also deters unauthorized or accidental changes – knowing that every edit is logged and visible encourages adherence to change control processes.
Audit and Compliance Reporting: Many organizations require an audit trail of security control changes for compliance frameworks. ConditionalAccessIQ helps produce that evidence with minimal effort. You can maintain an archive of HTML reports showing all Conditional Access policy changes over time, complete with timestamps and editor identities. During an audit or security review, these reports demonstrate that the organization has been actively monitoring and documenting its access policies. This can be crucial for compliance with regulations and standards that mandate tracking of security configuration changes. It complements Entra ID’s native audit logs by presenting the data in an easily digestible format for auditors or managers.
Security Operations and Monitoring: Integrating ConditionalAccessIQ into daily security operations (SecOps) can enhance an organization’s threat detection and response posture. Conditional Access policies are high-impact – a malicious or inappropriate change could introduce vulnerabilities. By receiving daily notifications of policy changes, a security team can quickly verify if each change was authorized and benign. For instance, if an unexpected policy deletion or a change to require less stringent MFA is detected, the security team can investigate immediately. In essence, the tool acts as a specialized change monitoring system for access policies, similar to how one might monitor changes in firewall rules or other critical security settings. This adds an extra layer of oversight beyond what Microsoft’s built-in workbooks and dashboards provide, focusing specifically on the changes made to policies.
In all these use cases, ConditionalAccessIQ serves to increase confidence that Conditional Access policies – which govern key aspects of your organization’s security – are under control and evolving only as intended.
Limitations and Considerations
While ConditionalAccessIQ significantly improves insight into Conditional Access configurations, IAM professionals should be aware of a few limitations and considerations when using the tool:
Alpha Release Maturity: ConditionalAccessIQ is currently in an early development stage (v0.0.1 alpha at the time of writing) (README.md). It has been tested in production environments, but as an alpha release you may encounter minor bugs or edge cases. The tool’s design attempts to adapt to new Conditional Access features dynamically, but this may not cover every scenario. For example, if Microsoft introduces new policy controls or properties in the future, the reporting might not fully recognize them until the module is updated. Users should validate the tool’s outputs in their environment and stay updated on new releases.
Getting the Module
The module is open source and available through multiple channels:
Final Thoughts
ConditionalAccessIQ fills an important gap in Entra ID Conditional Access management by giving professionals a dedicated lens into policy changes. Conditional Access policies are a linchpin of an organization’s security posture, and having the ability to track their every change brings control that the native tools alone may not provide. By implementing version control, audit-backed change tracking, and automated reporting, the tool strengthens your oversight of access policies without adding heavy complexity.
It’s worth noting that ConditionalAccessIQ doesn’t replace the need for good change management practices or Microsoft’s native logging — instead, it leverages those logs to present information in a more actionable way. In practice, whether you are troubleshooting an incident (“Who changed this policy and what did they do?”) or preparing for a compliance audit, ConditionalAccessIQ can save time and provide clarity.
In summary, ConditionalAccessIQ offers real-world value by making Conditional Access policy governance more intelligent and transparent. IAM professionals can ensure that every modification is tracked and reviewed, helping maintain a strong security posture. As organizations continue to adopt Zero Trust principles and rely heavily on Conditional Access, having a robust change intelligence tool like ConditionalAccessIQ can be instrumental in keeping your identity-driven security controls tight and well-managed.