private/helper/m365/entra/conditionalaccess/Get-EntraIdConditionalAccessEnforceAppRestriction.ps1

function Get-EntraIdConditionalAccessEnforceAppRestriction
{
    <#
    .SYNOPSIS
        Get all conditional access policies that is set to enforce app restriction.
    .DESCRIPTION
        Returns list of policies that are set to enforce app restrictions.
    .NOTES
        Requires the following modules:
        - Microsoft.Graph.Identity.SignIns
    .EXAMPLE
        Get-EntraIdConditionalAccessEnforceAppRestriction;
    #>


    [cmdletbinding()]
    param
    (
    )

    BEGIN
    {
        # Write to log.
        Write-Log -Category 'Entra' -Subcategory 'Policy' -Message 'Getting all conditional access policies' -Level Debug;

        # Get all policies.
        $conditionalAccessPolicies = Get-MgIdentityConditionalAccessPolicy -All;

        # Store policies that are set to enforce session idle timeout.
        $policies = New-Object System.Collections.ArrayList;
    }
    PROCESS
    {
        # Foreach policy.
        foreach ($conditionalAccessPolicy in $conditionalAccessPolicies)
        {
            # Booleans for various conditions.
            [bool]$policyEnabled = $true;
            [bool]$policyAppliedToAllUsers = $true;
            [bool]$policyAppliedToCloudApp = $true;
            [bool]$policyAppliedConditionClientApp = $true;
            [bool]$policyAppliedSessionAppEnforceRestrictions = $true;

            # If the policy is not enabled.
            if ($conditionalAccessPolicy.State -ne 'enabled')
            {
                # Write to log.
                Write-Log -Category 'Entra' -Subcategory 'Policy' -Message ("Conditional access policy '{0}' disabled" -f $conditionalAccessPolicy.DisplayName) -Level Debug;

                # Set condition.
                $policyEnabled = $false;
            }

            # If the policy is not applied to all users.
            if ($conditionalAccessPolicy.Conditions.Users.IncludeUsers -ne 'All')
            {
                # Write to log.
                Write-Log -Category 'Entra' -Subcategory 'Policy' -Message ("Conditional access policy '{0}' is not applied to all users" -f $conditionalAccessPolicy.DisplayName) -Level Debug;

                # Set condition.
                $policyAppliedToAllUsers = $false;
            }

            # Else if the policy is excluded from all users.
            if ($conditionalAccessPolicy.Conditions.Users.ExcludeUsers -eq 'All')
            {
                # Write to log.
                Write-Log -Category 'Entra' -Subcategory 'Policy' -Message ("Conditional access policy '{0}' have excluded all users" -f $conditionalAccessPolicy.DisplayName) -Level Debug;

                # Set condition.
                $policyAppliedToAllUsers = $false;
            }

            # If the policy is not applied to the Office 365 cloud app.
            if ($conditionalAccessPolicy.Conditions.Applications.IncludeApplications -ne 'Office365')
            {
                # Write to log.
                Write-Log -Category 'Entra' -Subcategory 'Policy' -Message ("Conditional access policy '{0}' is not applied to Office 365 app" -f $conditionalAccessPolicy.DisplayName) -Level Debug;

                # Set condition.
                $policyAppliedToCloudApp = $false;
            }

            # Else if the policy is excluded from the Office 365 cloud app.
            if ($conditionalAccessPolicy.Conditions.Applications.ExcludeApplications -eq 'Office365')
            {
                # Write to log.
                Write-Log -Category 'Entra' -Subcategory 'Policy' -Message ("Conditional access policy '{0}' have excluded the Office 365 app" -f $conditionalAccessPolicy.DisplayName) -Level Debug;

                # Set condition.
                $policyAppliedToCloudApp = $false;
            }

            # If the policy is not applied to the browser client app.
            if ($conditionalAccessPolicy.Conditions.ClientAppTypes -notcontains 'browser')
            {
                # Write to log.
                Write-Log -Category 'Entra' -Subcategory 'Policy' -Message ("Conditional access policy '{0}' do not have the browser as a client app" -f $conditionalAccessPolicy.DisplayName) -Level Debug;

                # Set condition.
                $policyAppliedConditionClientApp = $false;
            }

            # If the session control is not set to enforce application restrictions.
            if ($false -eq $conditionalAccessPolicy.SessionControls.ApplicationEnforcedRestrictions.IsEnabled)
            {
                # Write to log.
                Write-Log -Category 'Entra' -Subcategory 'Policy' -Message ("Conditional access policy '{0}' session control do not have application enforce restriction set" -f $conditionalAccessPolicy.DisplayName) -Level Debug;

                # Set condition.
                $policyAppliedSessionAppEnforceRestrictions = $false;
            }

            # If conditions are met.
            if ($true -eq $policyEnabled -and
                $true -eq $policyAppliedToAllUsers -and
                $true -eq $policyAppliedToCloudApp -and
                $true -eq $policyAppliedConditionClientApp -and
                $true -eq $policyAppliedSessionAppEnforceRestrictions)
            {
                # Write to log.
                Write-Log -Category 'Entra' -Subcategory 'Policy' -Message ("Conditional access policy '{0}' is set to enforce session idle timeout" -f $conditionalAccessPolicy.DisplayName) -Level Debug;

                # Add to list.
                $policies += [PSCustomObject]@{
                    Id          = $conditionalAccessPolicy.Id;
                    DisplayName = $conditionalAccessPolicy.DisplayName;
                    Description = $conditionalAccessPolicy.Description;
                    State       = $conditionalAccessPolicy.State;
                }
            }

            # Write to log.
            Write-Log -Category 'Entra' -Subcategory 'Policy' -Message ('Found {0} that is set to enforce session idle timeout (enforce app restriction)' -f $policies.Count) -Level Debug;
        }
    }
    END
    {
        # Return policies.
        return $policies;
    }
}