Invoke-ConditionalAccessDocumentation.ps1

<#PSScriptInfo
 
.VERSION 1.2.0
 
.GUID 6c861af7-d12e-4ea2-b5dc-56fee16e0107
 
.AUTHOR Nicola Suter
 
.TAGS ConditionalAccess, AzureAD, Identity
     
.PROJECTURI https://github.com/nicolonsky/ConditionalAccessDocumentation
 
.ICONURI https://raw.githubusercontent.com/microsoftgraph/g-raph/master/g-raph.png
 
.DESCRIPTION This script documents Azure AD Conditional Access Policies.
 
.SYNOPSIS This script retrieves all Conditional Access Policies and translates Azure AD Object ID's to display names for users, groups, directory roles, locations...
.EXAMPLE
    & "C:\Repos\GitHub\ConditionalAccessDocumentation\Invoke-ConditionalAccessDocumentation.ps1"
    Generates the documentation and exports the csv to the script directory.
.NOTES
    Author: Nicola Suter
    Creation Date: 05.05.2020
#>


#Requires -Module @{ ModuleName = 'Microsoft.Graph.Identity.ConditionalAccess'; ModuleVersion = '0.7.0'}, @{ ModuleName = 'Microsoft.Graph.Authentication'; ModuleVersion = '0.7.0'}, @{ ModuleName = 'Microsoft.Graph.Identity.ServicePrincipal'; ModuleVersion = '0.7.0'}, @{ ModuleName = 'Microsoft.Graph.Identity.DirectoryRoleTemplates'; ModuleVersion = '0.7.0'}, @{ ModuleName = 'Microsoft.Graph.Users.User'; ModuleVersion = '0.7.0'}, @{ ModuleName = 'Microsoft.Graph.Groups.Group'; ModuleVersion = '0.7.0'}

function Test-Guid
{
    <#
    .SYNOPSIS
    Validates a given input string and checks string is a valid GUID
    .DESCRIPTION
    Validates a given input string and checks string is a valid GUID by using the .NET method Guid.TryParse
    .EXAMPLE
    Test-Guid -InputObject "3363e9e1-00d8-45a1-9c0c-b93ee03f8c13"
    .NOTES
    Uses .NET method [guid]::TryParse()
    #>

    [Cmdletbinding()]
    [OutputType([bool])]
    param
    (
        [Parameter(Mandatory = $true, Position = 0, ValueFromPipelineByPropertyName = $true)]
        [AllowEmptyString()]
        [string]$InputObject
    )
    process{
        return [guid]::TryParse($InputObject, $([ref][guid]::Empty))
    }
}

if ($null -eq $(Get-MgContext)){
    Throw "Authentication needed, call 'Connect-Graph -Scopes @(`"Application.Read.All`", `"Group.Read.All`", `"Policy.Read.All`", `"RoleManagement.Read.Directory`", `"User.Read.All`")'."
}

# Lookup table for application ID's
$lookupTable = @{
    "00000004-0000-0ff1-ce00-000000000000" ="Microsoft.Lync"
    "00000006-0000-0ff1-ce00-000000000000" ="Microsoft.Office365Portal"
    "00000003-0000-0ff1-ce00-000000000000" ="Microsoft.SharePoint"
    "00000005-0000-0000-c000-000000000000" ="Microsoft.Azure.Workflow"
    "00000009-0000-0000-c000-000000000000" ="Microsoft.Azure.AnalysisServices"
    "00000002-0000-0ff1-ce00-000000000000" ="Microsoft.Exchange"
    "00000007-0000-0ff1-ce00-000000000000" ="Microsoft.ExchangeOnlineProtection"
    "00000002-0000-0000-c000-000000000000" ="Microsoft.Azure.ActiveDirectory"
    "8fca0a66-c008-4564-a876-ab3ae0fd5cff" ="Microsoft.SMIT"
    "0000000b-0000-0000-c000-000000000000" ="Microsoft.SellerDashboard"
    "0000000f-0000-0000-c000-000000000000" ="Microsoft.Azure.GraphExplorer"
    "0000000c-0000-0000-c000-000000000000" ="MicrosoftAppAccessPanel"
    "00000013-0000-0000-c000-000000000000" ="Microsoft.Azure.Portal"
    "00000010-0000-0000-c000-000000000000" ="Microsoft.Azure.GraphStore"
    "93ee9413-cf4c-4d4e-814b-a91ff20a01bd" ="Workflow"
    "aa9ecb1e-fd53-4aaa-a8fe-7a54de2c1334" ="Microsoft.Office365.Configure"
    "797f4846-ba00-4fd7-ba43-dac1f8f63013" ="WindowsAzureServiceManagementAPI"
    "00000005-0000-0ff1-ce00-000000000000" ="Microsoft.YammerEnterprise"
    "601d4e27-7bb3-4dee-8199-90d47d527e1c" ="Microsoft.Office365.ChangeManagement"
    "6f82282e-0070-4e78-bc23-e6320c5fa7de" ="Microsoft.DiscoveryService"
    "0f698dd4-f011-4d23-a33e-b36416dcb1e6" ="Microsoft.OfficeClientService"
    "67e3df25-268a-4324-a550-0de1c7f97287" ="Microsoft.OfficeWebAppsService"
    "ab27a73e-a3ba-4e43-8360-8bcc717114d8" ="Microsoft.OfficeModernCalendar"
    "aedca418-a84d-430d-ab84-0b1ef06f318f" ="Workflow"
    "595d87a1-277b-4c0a-aa7f-44f8a068eafc" ="Microsoft.SupportTicketSubmission"
    "e3583ad2-c781-4224-9b91-ad15a8179ba0" ="Microsoft.ExtensibleRealUserMonitoring"
    "b645896d-566e-447e-8f7f-e2e663b5d182" ="OpsDashSharePointApp"
    "48229a4a-9f1d-413a-8b96-4c02462c0360" ="OpsDashSharePointApp"
    "48717084-a59c-4306-9dc4-3f618dbecdf9" ="Office365DevelopmentTools"
    "c859ff33-eb41-4ba6-8093-a2c5153bbd7c" ="Workflow"
    "67cad61c-3411-48d7-ab73-561c64f11ed6" ="Workflow"
    "914ed757-9257-4200-b68e-a2bed2f12c5a" ="RbacBackfill"
    "499b84ac-1321-427f-aa17-267ca6975798" ="Microsoft.VisualStudio.Online"
    "b2590339-0887-4e94-93aa-13357eb510d7" ="Workflow"
    "0000001b-0000-0000-c000-000000000000" ="MicrosoftPowerBIInformationService"
    "89f80565-bfac-4c01-9535-9f0eba332ffe" ="PowerBI"
    "433895fb-4ec7-45c3-a53c-c44d10f80d5b" ="CompromisedAccountService"
    "d7c17728-4f1e-4a1e-86cf-7e0adf3fe903" ="Workflow"
    "17ef6d31-381f-4783-b186-7b440a3c85c1" ="Workflow"
    "00000012-0000-0000-c000-000000000000" ="Microsoft.Azure.RMS"
    "81ce94d4-9422-4c0d-a4b9-3250659366ce" ="Workflow"
    "8d3a7d3c-c034-4f19-a2ef-8412952a9671" ="MicrosoftOffice"
    "0469d4cd-df37-4d93-8a61-f8c75b809164" ="MicrosoftPolicyAdministrationService"
    "31d3f3f5-7267-45a8-9549-affb00110054" ="WindowsAzureRemoteAppService"
    "4e004241-32db-46c2-a86f-aaaba29bea9c" ="Workflow"
    "748d098e-7a3b-436d-8b0a-006a58b29647" ="Workflow"
    "dbf08535-1d3b-4f89-bf54-1d48dd613a61" ="Workflow"
    "ed9fe1ef-25a4-482f-9981-2b60f91e2448" ="Workflow"
    "8ad28d50-ee26-42fc-8a29-e41ea38461f2" ="Office365RESTAPIExplorer.Office365App"
    "38285dce-a13d-4107-9b04-3016b941bb3a" ="BasicDataOperationsREST"
    "92bb96c8-321c-47f9-bcc5-8849490c2b07" ="BasicSelfHostedAppREST"
    "488a57a0-00e2-4817-8c8d-cf8a15a994d2" ="WindowsFormsApplication2.Office365App"
    "11c174dc-1945-4a9a-a36b-c79a0f246b9b" ="AzureApplicationInsights"
    "e6acb561-0d94-4287-bd3a-3169f421b112" ="Tutum"
    "7b77b3a2-8490-49e1-8842-207cd0899af9" ="Nearpod"
    "0000000a-0000-0000-c000-000000000000" ="Microsoft.Intune"
    "93625bc8-bfe2-437a-97e0-3d0060024faa" ="SelfServicePasswordReset"
    "dee7ba80-6a55-4f3b-a86c-746a9231ae49" ="MicrosoftAppPlatEMA"
    "803ee9ca-3f7f-4824-bd6e-0b99d720c35c" ="AzureMediaService"
    "2d4d3d8e-2be3-4bef-9f87-7875a61c29de" ="OneNote"
    "8d40666e-5abf-45f6-a5e7-b7192d6d56ed" ="Workflow"
    "262044b1-e2ce-469f-a196-69ab7ada62d3" ="BackupManagementService"
    "087a2c70-c89e-463f-8dd3-e3959eabb1a9" ="MicrosoftProfileServicePlatformService"
    "7cd684f4-8a78-49b0-91ec-6a35d38739ba" ="AzureLogicApps"
    "c5393580-f805-4401-95e8-94b7a6ef2fc2" ="Office365ManagementAPIs"
    "96231a05-34ce-4eb4-aa6a-70759cbb5e83" ="MicrosoftAzureRedisCache"
    "b8340c3b-9267-498f-b21a-15d5547fd85e" ="Hyper-VRecoveryManager"
    "abfa0a7c-a6b6-4736-8310-5855508787cd" ="Microsoft.Azure.WebSites"
    "c44b4083-3bb0-49c1-b47d-974e53cbdf3c" ="IbizaPortal"
    "905fcf26-4eb7-48a0-9ff0-8dcc7194b5ba" ="Sway"
    "b10686fd-6ba8-49f2-a3cd-67e4d2f52ac8" ="NovoEd"
    "c606301c-f764-4e6b-aa45-7caaaea93c9a" ="OfficeStore"
    "569e8598-685b-4ba2-8bff-5bced483ac46" ="Evercontact"
    "20a23a2f-8c32-4de7-8063-8c8f909602c0" ="Workflow"
    "aaf214cc-8013-4b95-975f-13203ae36039" ="PowerBITiles"
    "d88a361a-d488-4271-a13f-a83df7dd99c2" ="IDMLGraphResolverServiceandCAD"
    "dff9b531-6290-4620-afce-26826a62a4e7" ="DocuSign"
    "01cb2876-7ebd-4aa4-9cc9-d28bd4d359a9" ="DeviceRegistrationService"
    "3290e3f7-d3ac-4165-bcef-cf4874fc4270" ="Smartsheet"
    "a4ee6867-8640-4495-b1fd-8b26037a5bd3" ="Workflow"
    "aa0e3dd4-df02-478d-869e-fc61dd71b6e8" ="Workflow"
    "0f6edad5-48f2-4585-a609-d252b1c52770" ="AIGraphClient"
    "0c8139b5-d545-4448-8d2b-2121bb242680" ="BillingExtension"
    "475226c6-020e-4fb2-8a90-7a972cbfc1d4" ="KratosAppsService"
    "39624784-6cbe-4a60-afbe-9f46d10fdb27" ="SkypeForBusinessRemotePowershell"
    "8bdebf23-c0fe-4187-a378-717ad86f6a53" ="ResourceHealthRP"
    "c161e42e-d4df-4a3d-9b42-e7a3c31f59d4" ="MicrosoftIntuneAPI"
    "9cb77803-d937-493e-9a3b-4b49de3f5a74" ="MicrosoftIntuneServiceDiscovery"
    "ddbf3205-c6bd-46ae-8127-60eb93363864" ="MicrosoftAzureBatch"
    "80ccca67-54bd-44ab-8625-4b79c4dc7775" ="ComplianceCenter"
    "0a5f63c0-b750-4f38-a71c-4fc0d58b89e2" ="MicrosoftMobileApplicationManagement"
    "e1335bb1-2aec-4f92-8140-0e6e61ae77e5" ="CIWebService"
    "75018fbe-21fe-4a57-b63c-83252b5eaf16" ="TeamImprover-TeamOrganizationChart"
    "a393296b-5695-4463-97cb-9fa8638a494a" ="MySharePointSites"
    "fe217466-5583-431c-9531-14ff7268b7b3" ="MicrosoftEducation"
    "5bfe8a29-054e-4348-9e7a-3981b26b125f" ="BingPlacesforBusiness"
    "eaf8a961-f56e-47eb-9ffd-936e22a554ef" ="DevilFish"
    "4b4b1d56-1f03-47d9-a0a3-87d4afc913c9" ="Wunderlist"
    "00000003-0000-0000-c000-000000000000" ="MicrosoftGraph"
    "60e6cd67-9c8c-4951-9b3c-23c25a2169af" ="ComputeResourceProvider"
    "507bc9da-c4e2-40cb-96a7-ac90df92685c" ="Office365Reports"
    "09abbdfd-ed23-44ee-a2d9-a627aa1c90f3" ="ProjectWorkManagement"
    "28ec9756-deaf-48b2-84d5-a623b99af263" ="OfficePersonalAssistantatWorkService"
    "9e4a5442-a5c9-4f6f-b03f-5b9fcaaf24b1" ="OfficeServicesManager"
    "3138fe80-4087-4b04-80a6-8866c738028a" ="SharePointNotificationService"
    "d2a0a418-0aac-4541-82b2-b3142c89da77" ="MicrosoftAzureOperationalInsights"
    "2cf9eb86-36b5-49dc-86ae-9a63135dfa8c" ="AzureTrafficManagerandDNS"
    "32613fc5-e7ac-4894-ac94-fbc39c9f3e4a" ="OAuthSandbox"
    "925eb0d0-da50-4604-a19f-bd8de9147958" ="GroupiesWebService"
    "e4ab13ed-33cb-41b4-9140-6e264582cf85" ="AzureSQLDatabaseBackupToAzureBackupVault"
    "ad230543-afbe-4bb4-ac4f-d94d101704f8" ="ApiaryforPowerBI"
    "11cd3e2e-fccb-42ad-ad00-878b93575e07" ="AutomatedCallDistribution"
    "de17788e-c765-4d31-aba4-fb837cfff174" ="SkypeforBusinessManagementReportingandAnalytics"
    "65d91a3d-ab74-42e6-8a2f-0add61688c74" ="MicrosoftApprovalManagement"
    "5225545c-3ebd-400f-b668-c8d78550d776" ="OfficeAgentService"
    "1cda9b54-9852-4a5a-96d4-c2ab174f9edf" ="O365Account"
    "4747d38e-36c5-4bc3-979b-b0ef74df54d1" ="PushChannel"
    "b97b6bd4-a49f-4a0c-af18-af507d1da76c" ="OfficeShreddingService"
    "d4ebce55-015a-49b5-a083-c84d1797ae8c" ="MicrosoftIntuneEnrollment"
    "5b20c633-9a48-4a5f-95f6-dae91879051f" ="AzureInformationProtection"
    "441509e5-a165-4363-8ee7-bcf0b7d26739" ="EnterpriseAgentPlatform"
    "e691bce4-6612-4025-b94c-81372a99f77e" ="Boomerang"
    "8edd93e1-2103-40b4-bd70-6e34e586362d" ="WindowsAzureSecurityResourceProvider"
    "94c63fef-13a3-47bc-8074-75af8c65887a" ="OfficeDelve"
    "e95d8bee-4725-4f59-910d-94d415da51b9" ="SkypeforBusinessNameDictionaryService"
    "e3c5dbcd-bb5f-4bda-b943-adc7a5bbc65e" ="Workflow"
    "8602e328-9b72-4f2d-a4ae-1387d013a2b3" ="AzureAPIManagement"
    "8b3391f4-af01-4ee8-b4ea-9871b2499735" ="O365SecureScore"
    "c26550d6-bc82-4484-82ca-ac1c75308ca3" ="Office365YammerOnOls"
    "33be1cef-03fb-444b-8fd3-08ca1b4d803f" ="OneDriveWeb"
    "dcad865d-9257-4521-ad4d-bae3e137b345" ="MicrosoftSharePointOnline-SharePointHome"
    "b2cc270f-563e-4d8a-af47-f00963a71dcd" ="OneProfileService"
    "4660504c-45b3-4674-a709-71951a6b0763" ="MicrosoftInvitationAcceptancePortal"
    "ba23cd2a-306c-48f2-9d62-d3ecd372dfe4" ="OfficeGraph"
    "d52485ee-4609-4f6b-b3a3-68b6f841fa23" ="On-PremisesDataGatewayConnector"
    "996def3d-b36c-4153-8607-a6fd3c01b89f" ="Dynamics365forFinancials"
    "b6b84568-6c01-4981-a80f-09da9a20bbed" ="MicrosoftInvoicing"
    "9d3e55ba-79e0-4b7c-af50-dc460b81dca1" ="MicrosoftAzureDataCatalog"
    "4345a7b9-9a63-4910-a426-35363201d503" ="O365SuiteUX"
    "ac815d4a-573b-4174-b38e-46490d19f894" ="Workflow"
    "bb8f18b0-9c38-48c9-a847-e1ef3af0602d" ="Microsoft.Azure.ActiveDirectoryIUX"
    "cc15fd57-2c6c-4117-a88c-83b1d56b4bbe" ="MicrosoftTeamsServices"
    "5e3ce6c0-2b1f-4285-8d4b-75ee78787346" ="SkypeTeams"
    "1fec8e78-bce4-4aaf-ab1b-5451cc387264" ="MicrosoftTeams"
    "6d32b7f8-782e-43e0-ac47-aaad9f4eb839" ="PermissionServiceO365"
    "cdccd920-384b-4a25-897d-75161a4b74c1" ="SkypeTeamsFirehose"
    "1c0ae35a-e2ec-4592-8e08-c40884656fa5" ="SkypeTeamSubstrateconnector"
    "cf6c77f8-914f-4078-baef-e39a5181158b" ="SkypeTeamsSettingsStore"
    "64f79cb9-9c82-4199-b85b-77e35b7dcbcb" ="MicrosoftTeamsBots"
    "b7912db9-aa33-4820-9d4f-709830fdd78f" ="ConnectionsService"
    "82f77645-8a66-4745-bcdf-9706824f9ad0" ="PowerAppsRuntimeService"
    "6204c1d1-4712-4c46-a7d9-3ed63d992682" ="MicrosoftFlowPortal"
    "7df0a125-d3be-4c96-aa54-591f83ff541c" ="MicrosoftFlowService"
    "331cc017-5973-4173-b270-f0042fddfd75" ="PowerAppsService"
    "0a0e9e37-25e3-47d4-964c-5b8237cad19a" ="CloudSponge"
    "df09ff61-2178-45d8-888c-4210c1c7b0b2" ="O365UAPProcessor"
    "8338dec2-e1b3-48f7-8438-20c30a534458" ="ViewPoint"
    "00000001-0000-0000-c000-000000000000" ="AzureESTSService"
    "394866fc-eedb-4f01-8536-3ff84b16be2a" ="MicrosoftPeopleCardsService"
    "0a0a29f9-0a25-49c7-94bf-c53c3f8fa69d" ="CortanaExperiencewithO365"
    "bb2a2e3a-c5e7-4f0a-88e0-8e01fd3fc1f4" ="CPIMService"
    "0004c632-673b-4105-9bb6-f3bbd2a927fe" ="PowerAppsandFlow"
    "d3ce4cf8-6810-442d-b42e-375e14710095" ="GraphExplorer"
    "3aa5c166-136f-40eb-9066-33ac63099211" ="O365CustomerMonitoring"
    "d6fdaa33-e821-4211-83d0-cf74736489e1" ="MicrosoftServiceTrust"
    "ef4a2a24-4b4e-4abf-93ba-cc11c5bd442c" ="Edmodo"
    "b692184e-b47f-4706-b352-84b288d2d9ee" ="Microsoft.MileIQ.RESTService"
    "a25dbca8-4e60-48e5-80a2-0664fdb5c9b6" ="Microsoft.MileIQ"
    "f7069a8d-9edc-4300-b365-ae53c9627fc4" ="Microsoft.MileIQ.Dashboard"
    "02e3ae74-c151-4bda-b8f0-55fbf341de08" ="ApplicationRegistrationPortal"
    "1f5530b3-261a-47a9-b357-ded261e17918" ="AzureMulti-FactorAuthConnector"
    "981f26a1-7f43-403b-a875-f8b09b8cd720" ="AzureMulti-FactorAuthClient"
    "6ea8091b-151d-447a-9013-6845b83ba57b" ="ADHybridHealth"
    "fc68d9e5-1f76-45ef-99aa-214805418498" ="AzureADIdentityProtection"
    "01fc33a7-78ba-4d2f-a4b7-768e336e890e" ="MS-PIM"
    "a6aa9161-5291-40bb-8c5c-923b567bee3b" ="StorageResourceProvider"
    "4e9b8b9a-1001-4017-8dd1-6e8f25e19d13" ="AdobeAcrobat"
    "159b90bb-bb28-4568-ad7c-adad6b814a2f" ="LastPass"
    "b4bddae8-ab25-483e-8670-df09b9f1d0ea" ="Signup"
    "aa580612-c342-4ace-9055-8edee43ccb89" ="MicrosoftStaffHub"
    "51133ff5-8e0d-4078-bcca-84fb7f905b64" ="MicrosoftTeamsMailhook"
    "ab3be6b7-f5df-413d-ac2d-abf1e3fd9c0b" ="MicrosoftTeamsGraphService"
    "b1379a75-ce5e-4fa3-80c6-89bb39bf646c" ="MicrosoftTeamsChatAggregator"
    "48af08dc-f6d2-435f-b2a7-069abd99c086" ="Connectors"
    "d676e816-a17b-416b-ac1a-05ad96f43686" ="Workflow"
    "cfa8b339-82a2-471a-a3c9-0fc0be7a4093" ="AzureKeyVault"
    "c2f89f53-3971-4e09-8656-18eed74aee10" ="calendly"
    "6da466b6-1d13-4a2c-97bd-51a99e8d4d74" ="ExchangeOfficeGraphClientforAAD-Interactive"
    "0eda3b13-ddc9-4c25-b7dd-2f6ea073d6b7" ="MicrosoftFlowCDSIntegrationService"
    "eacba838-453c-4d3e-8c6a-eb815d3469a3" ="MicrosoftFlowCDSIntegrationServiceTIP1"
    "4ac7d521-0382-477b-b0f8-7e1d95f85ca2" ="SQLServerAnalysisServicesAzure"
    "b4114287-89e4-4209-bd99-b7d4919bcf64" ="OfficeDelve"
    "4580fd1d-e5a3-4f56-9ad1-aab0e3bf8f76" ="CallRecorder"
    "a855a166-fd92-4c76-b60d-a791e0762432" ="MicrosoftTeamsVSTS"
    "c37c294f-eec8-47d2-b3e2-fc3daa8f77d3" ="Workflow"
    "fc75330b-179d-49af-87dd-3b1acf6827fa" ="AzureAutomationAADPatchS2S"
    "766d89a4-d6a6-444d-8a5e-e1a18622288a" ="OneDrive"
    "f16c4a38-5aff-4549-8199-ee7d3c5bd8dc" ="Workflow"
    "4c4f550b-42b2-4a16-93f9-fdb9e01bb6ed" ="TargetedMessagingService"
    "765fe668-04e7-42ba-aec0-2c96f1d8b652" ="ExchangeOfficeGraphClientforAAD-Noninteractive"
    "0130cc9f-7ac5-4026-bd5f-80a08a54e6d9" ="AzureDataWarehousePolybase"
    "a1cf9e0a-fe14-487c-beb9-dd3360921173" ="Meetup"
    "76cd24bf-a9fc-4344-b1dc-908275de6d6d" ="AzureSQLVirtualNetworktoNetworkResourceProvider"
    "9f505dbd-a32c-4685-b1c6-72e4ef704cb0" ="AmazonAlexa"
    "1e2ca66a-c176-45ea-a877-e87f7231e0ee" ="MicrosoftB2BAdminWorker"
    "2634dd23-5e5a-431c-81ca-11710d9079f4" ="MicrosoftStreamService"
    "cf53fce8-def6-4aeb-8d30-b158e7b1cf83" ="MicrosoftStreamPortal"
    "c9a559d2-7aab-4f13-a6ed-e7e9c52aec87" ="MicrosoftForms"
    "978877ea-b2d6-458b-80c7-05df932f3723" ="MicrosoftTeamsAuditService"
    "dbc36ae1-c097-4df9-8d94-343c3d091a76" ="ServiceEncryption"
    "fa7ff576-8e31-4a58-a5e5-780c1cd57caa" ="OneNote"
    "cb4dc29f-0bf4-402a-8b30-7511498ed654" ="PowerBIPremium"
    "f5aeb603-2a64-4f37-b9a8-b544f3542865" ="MicrosoftTeamsRetentionHookService"
    "da109bdd-abda-4c06-8808-4655199420f8" ="GlipContacts"
    "76c7f279-7959-468f-8943-3954880e0d8c" ="AzureSQLManagedInstancetoMicrosoft.Network"
    "3a9ddf38-83f3-4ea1-a33a-ecf934644e2d" ="ProtectedMessageViewer"
    "5635d99c-c364-4411-90eb-764a511b5fdf" ="ResponsiveBannerSlider"
    "a43e5392-f48b-46a4-a0f1-098b5eeb4757" ="Cloudsponge"
    "d73f4b35-55c9-48c7-8b10-651f6f2acb2e" ="MCAPIAuthorizationProd"
    "166f1b03-5b19-416f-a94b-1d7aa2d247dc" ="OfficeHive"
    "b815ce1c-748f-4b1e-9270-a42c1fa4485a" ="Workflow"
    "bd7b778b-4aa8-4cde-8d90-8aeb821c0bd2" ="Workflow"
    "9d06afd9-66c9-49a6-b385-ea7509332b0b" ="O365SBRMService"
    "9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7" ="Bing"
    "57fb890c-0dab-4253-a5e0-7188c88b2bb4" ="SharePointOnlineClient"
    "45c10911-200f-4e27-a666-9e9fca147395" ="drawio"
    "b73f62d0-210b-4396-a4c5-ea50c4fab79b" ="SkypeBusinessVoiceFraudDetectionandPrevention"
    "bc59ab01-8403-45c6-8796-ac3ef710b3e3" ="OutlookOnlineAdd-inApp"
    "035f9e1d-4f00-4419-bf50-bf2d87eb4878" ="AzureMonitorRestricted"
    "7c33bfcb-8d33-48d6-8e60-dc6404003489" ="NetworkWatcher"
    "a0be0c72-870e-46f0-9c49-c98333a996f7" ="AzureDnsFrontendApp"
    "1e3e4475-288f-4018-a376-df66fd7fac5f" ="NetworkTrafficAnalyticsService"
    "7557eb47-c689-4224-abcf-aef9bd7573df" ="SkypeforBusiness"
    "c39c9bac-9d1f-4dfb-aa29-27f6365e5cb7" ="AzureAdvisor"
    "2087bd82-7206-4c0a-b305-1321a39e5926" ="MicrosoftTo-Do"
    "f8d98a96-0999-43f5-8af3-69971c7bb423" ="iOSAccounts"
    "c27373d3-335f-4b45-8af9-fe81c240d377" ="P2PServer"
    "5c2ffddc-f1d7-4dc3-926e-3c1bd98e32bd" ="RITSDev"
    "982bda36-4632-4165-a46a-9863b1bbcf7d" ="O365Demeter"
    "98c8388a-4e86-424f-a176-d1288462816f" ="OfficeFeedProcessors"
    "bf9fc203-c1ff-4fd4-878b-323642e462ec" ="JarvisTransactionService"
    "257601fd-462f-4a21-b623-7f719f0f90f4" ="CentralizedDeployment"
    "2a486b53-dbd2-49c0-a2bc-278bdfc30833" ="CortanaatWorkService"
    "22d7579f-06c2-4baa-89d2-e844486adb9d" ="CortanaatWorkBingServices"
    "4c8f074c-e32b-4ba7-b072-0f39d71daf51" ="IPSubstrate"
    "a164aee5-7d0a-46bb-9404-37421d58bdf7" ="MicrosoftTeamsAuthSvc"
    "354b5b6d-abd6-4736-9f51-1be80049b91f" ="MicrosoftMobileApplicationManagementBackend"
    "82b293b2-d54d-4d59-9a95-39c1c97954a7" ="TasksinaBox"
    "fdc83783-b652-4258-a622-66bc85f1a871" ="FedExPackageTracking"
    "d0597157-f0ae-4e23-b06c-9e65de434c4f" ="MicrosoftTeamsTaskService"
    "f5c26e74-f226-4ae8-85f0-b4af0080ac9e" ="ApplicationInsightsAPI"
    "57c0fc58-a83a-41d0-8ae9-08952659bdfd" ="AzureCosmosDBVirtualNetworkToNetworkResourceProvider"
    "744e50be-c4ff-4e90-8061-cd7f1fabac0b" ="LinkedInMicrosoftGraphConnector"
    "823dfde0-1b9a-415a-a35a-1ad34e16dd44" ="MicrosoftTeamsWikiImagesMigration"
    "3ab9b3bc-762f-4d62-82f7-7e1d653ce29f" ="MicrosoftVolumeLicensing"
    "44eb7794-0e11-42b6-800b-dc31874f9f60" ="Alignable"
    "c58637bb-e2e1-4312-8a00-04b5ffcd3403" ="SharePointOnlineClientExtensibility"
    "62b732f7-fc71-40bc-b27d-35efcb0509de" ="MicrosoftTeamsAadSync"
    "07978fee-621a-42df-82bb-3eabc6511c26" ="SurveyMonkey"
    "47ee738b-3f1a-4fc7-ab11-37e4822b007e" ="AzureADApplicationProxy"
    "00000007-0000-0000-c000-000000000000" ="DynamicsCRMOnline"
    "913c6de4-2a4a-4a61-a9ce-945d2b2ce2e0" ="DynamicsLifecycleservices"
    "f217ad13-46b8-4c5b-b661-876ccdf37302" ="AttachOneDrivefilestoAsana"
    "00000008-0000-0000-c000-000000000000" ="Microsoft.Azure.DataMarket"
    "9b06ebd4-9068-486b-bdd2-dac26b8a5a7a" ="Microsoft.DynamicsMarketing"
    "e8ab36af-d4be-4833-a38b-4d6cf1cfd525" ="MicrosoftSocialEngagement"
    "8909aac3-be91-470c-8a0b-ff09d669af91" ="MicrosoftParatureDynamicsCRM"
    "71234da4-b92f-429d-b8ec-6e62652e50d7" ="MicrosoftCustomerEngagementPortal"
    "b861dbcc-a7ef-4219-a005-0e4de4ea7dcf" ="DataExportServiceforMicrosoftDynamics365"
    "2db8cb1d-fb6c-450b-ab09-49b6ae35186b" ="MicrosoftDynamicsCRMLearningPath"
    "2e49aa60-1bd3-43b6-8ab6-03ada3d9f08b" ="DynamicsDataIntegration"
    "d1ddf0e4-d672-4dae-b554-9d5bdfd93547" ="Microsoft Intune Powershell" 
}

# Get Conditional Access Policies
$conditionalAccessPolicies = Get-MgConditionalAccessPolicy -All
#Get Conditional Access Named / Trusted Locations
$namedLocations = Get-MgConditionalAccessNamedLocation -All
# Get Azure AD Directory Role Templates
$directoryRoleTemplates = Get-MgDirectoryRoleTemplate -All
# Get Azure AD Service Principals
$servicePrincipals = Get-MgServicePrincipal -All
# Init report
$conditionalAccessDocumentation = @()

# Process all Conditional Access Policies
foreach ($conditionalAccessPolicy in $conditionalAccessPolicies){

    # Display some progress (based on policy count)
    $currentIndex = $conditionalAccessPolicies.indexOf($conditionalAccessPolicy)
    Write-Progress -Activity "Generating Conditional Access Documentation..." -PercentComplete (($currentIndex + 1) / $conditionalAccessPolicies.Count * 100) `
    -CurrentOperation "Processing Policy '$($conditionalAccessPolicy.DisplayName)' ($currentIndex/$($conditionalAccessPolicies.Count))"

    try{
        # Resolve object ID's of included users
        $includeUsers = @() 
        $conditionalAccessPolicy.Conditions.UserIncludeUsers | ForEach-Object {
            if (Test-Guid $PSItem){
                $includeUsers += Get-MgUser -userId $PSItem | Select-Object -ExpandProperty DisplayName -ErrorAction Stop
            }else{
                $includeUsers += $PSItem
            }
        }
        # Resolve object ID's of excluded users
        $excludeUsers = @()
        $conditionalAccessPolicy.Conditions.UserExcludeUsers | ForEach-Object {
            if (Test-Guid $PSItem){
                $excludeUsers += Get-MgUser -userId $PSItem | Select-Object -ExpandProperty DisplayName -ErrorAction Stop
            }else{
                $excludeUsers += $PSItem
            }
        }
        # Resolve object ID's of included groups
        $includeGroups = @() 
        $conditionalAccessPolicy.Conditions.UserIncludeGroups | ForEach-Object {
            $includeGroups += Get-MgGroup -groupId $PSItem | Select-Object -ExpandProperty DisplayName
        }
        # Resolve object ID's of excluded groups
        $excludeGroups = @() 
        $conditionalAccessPolicy.Conditions.UserExcludeGroups | ForEach-Object {
            $excludeGroups += Get-MgGroup -groupId $PSItem | Select-Object -ExpandProperty DisplayName
        }
        # Resolve object ID's of included roles
        $includeRoles = @()
        $conditionalAccessPolicy.Conditions.UserIncludeRoles | ForEach-Object {
            $roleId = $PSItem
            $includeRoles += $directoryRoleTemplates | Where-Object {$PSItem.Id -eq $roleId} | Select-Object -ExpandProperty DisplayName
        }
        # Replace role display names if all selected
        $maxRoles = 56
        if ($includeRoles.Count -eq $maxRoles){
        $includeRoles = "All ($maxRoles)"
        }
        # Resolve object ID's of excluded roles
        $excludeRoles = @()
        $conditionalAccessPolicy.Conditions.UserExcludeRoles | ForEach-Object {
            $roleId = $PSItem
            $excludeRoles += $directoryRoleTemplates | Where-Object {$PSItem.Id -eq $roleId} | Select-Object -ExpandProperty DisplayName
        }
        # Resolve object ID's of included apps
        $includeApps = @()
        $conditionalAccessPolicy.Conditions.ApplicationIncludeApplications | ForEach-Object {
            $servicePrincipalId = $PSItem
            if (Test-Guid $PSItem){
                $res = $servicePrincipals | Where-Object {$PSItem.AppId -eq $servicePrincipalId} | Select-Object -ExpandProperty DisplayName
                if ($null -ne $res){
                    $includeApps += $res
                }else{

                    $res = $lookupTable[$servicePrincipalId]

                    if ($null -ne $res){
                        $includeApps += $res
                    }else{
                        $includeApps += $servicePrincipalId
                    }
                }
            } else {
                $includeApps += $servicePrincipalId
            }
        }
        # Resolve object ID's of excluded apps
        $excludeApps = @()
        $conditionalAccessPolicy.Conditions.ApplicationExcludeApplications | ForEach-Object {
            $servicePrincipalId = $PSItem
            if (Test-Guid $PSItem){
                $res = $servicePrincipals | Where-Object {$PSItem.AppId -eq $servicePrincipalId} | Select-Object -ExpandProperty DisplayName
                if ($null -ne $res){
                    $excludeApps += $res
                }else{

                    $res = $lookupTable[$servicePrincipalId]

                    if ($null -ne $res){
                        $excludeApps += $res
                    }else{
                        $excludeApps += $servicePrincipalId
                    }
                }
            } else {
                $excludeApps += $servicePrincipalId
            }
        }
        # Resolve object ID's of included locations
        $includeLocations = @()
        $conditionalAccessPolicy.Conditions.LocationIncludeLocations | ForEach-Object {
            $locationId = $PSItem
            if (Test-Guid $PSItem){
                $includeLocations += $namedLocations | Where-Object {$PSItem.Id -eq $locationId} | Select-Object -ExpandProperty DisplayName
            }else{
                $includeLocations += $locationId
            }
        }
        # Resolve object ID's of excluded locations
        $excludeLocations = @()
        $conditionalAccessPolicy.Conditions.LocationExcludeLocations | ForEach-Object {
            $locationId = $PSItem
            if (Test-Guid $PSItem){
                $excludeLocations += $namedLocations | Where-Object {$PSItem.Id -eq $locationId} | Select-Object -ExpandProperty DisplayName
            }else{
                $excludeLocations += $locationId
            }
        }

        # delimiter for arrays in csv report
        $separator = "`r`n"

        # Build custom object with properties
        $entry = [PSCustomObject]@{

            Name = $conditionalAccessPolicy.DisplayName
            State =  $conditionalAccessPolicy.State

            IncludeUsers = $includeUsers -join $separator
            IncludeGroups = $includeGroups -join $separator
            IncludeRoles = $includeRoles  -join $separator

            ExcludeUsers = $excludeUsers-join $separator
            ExcludeGroups = $excludeGroups -join $separator
            ExcludeRoles = $excludeRoles -join $separator

            IncludeApps = $includeApps -join $separator
            ExcludeApps = $excludeApps -join $separator

            IncludeUserActions = $conditionalAccessPolicy.Conditions.ApplicationIncludeUserActions -join $separator
            ClientAppTypes = $conditionalAccessPolicy.Conditions.ClientAppTypes -join $separator

            IncludePlatforms = $conditionalAccessPolicy.Conditions.PlatformIncludePlatforms -join $separator
            ExcludePlatforms = $conditionalAccessPolicy.Conditions.PlatformExcludePlatforms -join $separator

            IncludeLocations = $includeLocations -join $separator
            ExcludeLocations = $excludeLocations -join $separator

            IncludeDeviceStates = $conditionalAccessPolicy.Conditions.DeviceIncludeDeviceStates -join $separator
            ExcludeDeviceStates = $conditionalAccessPolicy.Conditions.DeviceExcludeDeviceStates -join $separator

            GrantControls = $conditionalAccessPolicy.GrantControlBuiltInControls -join $separator
            GrantControlsOperator = $conditionalAccessPolicy.GrantControlOperator

            ApplicationEnforcedRestrictions = $conditionalAccessPolicy.ApplicationEnforcedRestrictionIsEnabled
            CloudAppSecurity = $conditionalAccessPolicy.CloudAppSecurityIsEnabled
            PersistentBrowser = $conditionalAccessPolicy.PersistentBrowserMode
            SignInFrequency = "$($conditionalAccessPolicy.SignInFrequencyValue) $($conditionalAccessPolicy.SignInFrequencyType)"
        }
        # Add entry to report
        $conditionalAccessDocumentation += $entry
    }catch{
        Write-Error $PSItem
    }  
}

# Build export path (script directory)
$exportPath = Join-Path $PSScriptRoot "ConditionalAccessDocumentation.csv"
# Export report as csv
$conditionalAccessDocumentation | Export-Csv -Path $exportPath -NoTypeInformation

Write-Output "Exported Documentation to '$($exportPath)'"