Public/generated/Get-KritTcmAADConditionalAccessPolicy.ps1

<#
·· × × × ··· SirJ's Deaddrop ··· × × × ···
      — If you found this, you were meant to —

---------------- A Seriously Kritical™ Production ----------------

                                   [] →
                 (¯`·.¸¸.·´¯)
               .·´ `·. [] →
               `·.______________.·´
              | +------------------+ |
              | | Kritical™ | |
              | | [] [] | |
              | | | |
              | | [] [] [] | |
              | +------------------+ |
                  (._.·´¯`·.¸_)

                     Your last call.
                   And your first move.

                         ★ ☆ ★

                     +61 1300 274 655
                 sales at kritical dot net

-----------------------------------------------------------------


.COPYRIGHT
    (c) 2026 Kritical Pty Ltd. All rights reserved.
.AUTHOR
    Joshua Finley <joshua.finley@kritical.net>
.COMPANY
    Kritical Pty Ltd | ABN 39 687 048 086
    Level 4 / 60 Moorabool St Geelong VIC 3220
    1300 274 655 | sales@kritical.net | https://kritical.net/
.NOTES
    HARD RULE 13 canonical Kritical branding — do not overlay other agent banners.
    Auto-generated by Generate-KritTcmFromM365DscSchema.ps1 (.1507o30+).
    Upstream reference: Microsoft365DSC by Microsoft (MIT). This shim provides
    literal search-replace equivalence — see Krit.TCM/generated/index.md.
#>


function Get-KritTcmAADConditionalAccessPolicy {
<#
.SYNOPSIS
    Krit.TCM shim for M365DSC resource AADConditionalAccessPolicy.

.DESCRIPTION
    Auto-generated from M365DSC .schema.mof by
    scripts/m365-setup/Generate-KritTcmFromM365DscSchema.ps1 (.1507o30).

    Search-replace safe: callers that today invoke
        Get-M365DSCAADConditionalAccessPolicy -Credential $cred -TenantId $tid
    can rename to
        Get-KritTcmAADConditionalAccessPolicy -Credential $cred -TenantId $tid
    with ZERO other edits. Parameter shape matches the M365DSC .schema.mof
    exactly. Per operator direction, -PreferM365DscBehavior defaults to true.

    Actual Graph dispatch is delegated to Invoke-KritTcmM365DscSchemaBridge.
    Bridge maps resource → Graph endpoint per per-resource wave; where mapping
    is not yet shipped, bridge returns an object with Verdict='UNMAPPED'.

.NOTES
    Workload: Entra
    Original mof: C:\Users\joshl\OneDrive - Kritical Pty Ltd\Github\KRTPax8ToShopifyConnector\.kritm365-mine\Microsoft365DSC\Modules\Microsoft365DSC\DSCResources\MSFT_AADConditionalAccessPolicy\MSFT_AADConditionalAccessPolicy.schema.mof
    Param count: 36
    Generator wave: .1507o30
#>

[CmdletBinding()]
param(
        # DisplayName of the AAD CA Policy
[Parameter(Mandatory)] [string]$DisplayName,
        # Specifies the GUID for the Policy.
[string]$Id,
        # Specifies the State of the Policy.
[ValidateSet('disabled','enabled','enabledForReportingButNotEnforced')] [string]$State,
        # Rule syntax is similar to that used for membership rules for groups in Microsoft Entra ID.
[string]$ApplicationsFilter,
        # Mode to use for the filter. Possible values are include or exclude.
[ValidateSet('include','exclude')] [string]$ApplicationsFilterMode,
        # Represents the Included Tenants membership kind. The possible values are: all, enumerated, unknownFutureValue. enumerated references an object of conditionalAccessEnumeratedExternalTenants derived type.
[ValidateSet('all','enumerated','unknownFutureValue')] [string]$IncludeExternalTenantsMembershipKind,
        # Represents the Excluded Tenants membership kind. The possible values are: all, enumerated, unknownFutureValue. enumerated references an object of conditionalAccessEnumeratedExternalTenants derived type.
[ValidateSet('all','enumerated','unknownFutureValue')] [string]$ExcludeExternalTenantsMembershipKind,
        # Mode to use for the Service Principal filter. Possible values are include or exclude. 'Attribute Definition Reader' role is needed.
[ValidateSet('include','exclude')] [string]$ServicePrincipalFilterMode,
        # Rule syntax for the Service Principal filter. 'Attribute Definition Reader' role is needed.
[string]$ServicePrincipalFilterRule,
        # Client Device Filter mode of the Policy.
[ValidateSet('include','exclude')] [string]$DeviceFilterMode,
        # Client Device Filter rule of the Policy.
[string]$DeviceFilterRule,
        # Operator to be used for Grant Controls.
[ValidateSet('AND','OR')] [string]$GrantControlOperator,
        # Specifies, whether Application Enforced Restrictions are enabled in the Policy.
[bool]$ApplicationEnforcedRestrictionsIsEnabled,
        # Specifies, whether Cloud App Security is enforced by the Policy.
[bool]$CloudAppSecurityIsEnabled,
        # Specifies, what Cloud App Security control is enforced by the Policy.
[string]$CloudAppSecurityType,
        # Specifies continuous access evaluation settings. The possible values are: disabled, strictEnforcement, strictLocation
[ValidateSet('disabled','strictEnforcement','strictLocation')] [string]$ContinuousAccessEvaluationMode,
        # Specifies if token protection for sign-in sessions is to be enforced by the policy.
[bool]$SecureSignInSessionIsEnabled,
        # Sign in frequency time in the given unit to be enforced by the policy.
[int]$SignInFrequencyValue,
        # Display name of the terms of use to assign.
[string]$TermsOfUse,
        # Sign in frequency unit (days/hours) to be interpreted by the policy.
[ValidateSet('Days','Hours')] [string]$SignInFrequencyType,
        # Specifies, whether sign-in frequency is enforced by the Policy.
[bool]$SignInFrequencyIsEnabled,
        # Sign in frequency interval. Possible values are: 'timeBased', 'everyTime' and 'unknownFutureValue'.
[ValidateSet('timeBased','everyTime','unknownFutureValue')] [string]$SignInFrequencyInterval,
        # Specifies, whether Browser Persistence is controlled by the Policy.
[bool]$PersistentBrowserIsEnabled,
        # Specifies, what Browser Persistence control is enforced by the Policy.
[ValidateSet('Always','Never')] [string]$PersistentBrowserMode,
        # Specifies, if DisableResilienceDefaults is enabled.
[bool]$DisableResilienceDefaultsIsEnabled,
        # Name of the associated authentication strength policy.
[string]$AuthenticationStrength,
        # Names of the associated authentication flow transfer methods. Possible values are '', 'deviceCodeFlow', 'authenticationTransfer', or 'deviceCodeFlow,authenticationTransfer'.
[string]$TransferMethods,
        # Specify if the Azure AD CA Policy should exist or not.
[ValidateSet('Present','Absent')] [string]$Ensure,
        # Credentials for the Microsoft Graph delegated permissions.
[string]$Credential,
        # Id of the Azure Active Directory application to authenticate with.
[string]$ApplicationId,
        # Id of the Azure Active Directory tenant used for authentication.
[string]$TenantId,
        # Secret of the Azure Active Directory application to authenticate with.
[string]$ApplicationSecret,
        # Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.
[string]$CertificateThumbprint,
        # Username can be made up to anything but password will be used for CertificatePassword
[string]$CertificatePassword,
        # Path to certificate used in service principal usually a PFX file.
[string]$CertificatePath,
        # Managed ID being used for authentication.
[bool]$ManagedIdentity
)
    Invoke-KritTcmM365DscSchemaBridge -ResourceName 'AADConditionalAccessPolicy' -Workload 'Entra' -Verb 'Get' -CallerParams $PSBoundParameters
}