Nota:
El acceso a esta página requiere autorización. Puede intentar iniciar sesión o cambiar directorios.
El acceso a esta página requiere autorización. Puede intentar cambiar los directorios.
En caso de que se produzca una interrupción o un error de conectividad en Microsoft Entra Internet Access, los usuarios permanecen protegidos. Sin embargo, es posible que desees realizar una operación de "emergencia": deshabilitar temporalmente los perfiles de reenvío de tráfico y deshabilitar las directivas de condición de red compatibles puede ayudar a los usuarios a recuperar el acceso a sus aplicaciones de Microsoft en favor de la productividad.
A continuación puedes ver un script de ejemplo que puede ayudarte a deshabilitar rápidamente el reenvío de tráfico y cambiar las directivas de acceso condicional mediante la condición de red compatible en modo de solo informe.
Enumerar y deshabilitar directivas de acceso condicional mediante la condición de red compatible en un escenario de emergencia
El script de PowerShell deshabilita eficazmente las directivas de acceso condicional que usan la condición de red compatible. En una situación de emergencia, este script se puede usar para recuperar temporalmente el acceso de los usuarios.
El ejemplo requiere la versión 2.10 del módulo de PowerShell para Microsoft Graph Beta, o cualquier versión posterior.
# gsabreakglass.ps1 places the Compliant Network Conditional Access Policies for a given tenant using Microsoft Entra Internet Access into Report-Only mode.
#
# Version 1.0
#
# This script requires following
# - PowerShell 5.1 (x64) or beyond
# - Module: Microsoft.Graph.Beta
#
#
# Before you begin:
#
# - Make sure you are running PowerShell as an Administrator
# - Make sure your Administrator persona is an leveraging an Entra ID emergency access admin account, not subject to Microsoft Entra Internet Access Compliant Network policy, as described in https://learn.microsoft.com/entra/identity/role-based-access-control/security-emergency-access.
# - Make sure you run: Install-Module Microsoft.Graph.Beta -AllowClobber -Force
Import-Module Microsoft.Graph.Beta.Identity.SignIns
Connect-MgGraph -Scopes "Policy.Read.All,Policy.ReadWrite.ConditionalAccess,NetworkAccess.ReadWrite.All"
$result = @()
$timeRun = Get-Date
$result += "Script was run at $($timeRun)"
$count = 0
# Search for any Conditional Access policies leveraging the Compliant Network condition.
$allCAPolicies = Get-MgBetaIdentityConditionalAccessPolicy
$allCompliantNetworkCAPolicies = @()
foreach ($policy in $allCAPolicies)
{
if ($policy.conditions.locations.excludeLocations -Contains "3d46dbda-8382-466a-856d-eb00cbc6b910" -or $policy.conditions.locations.includeLocations -Contains "3d46dbda-8382-466a-856d-eb00cbc6b910")
{
$allCompliantNetworkCAPolicies += $policy
}
}
$compliantNetworkCount = $allCompliantNetworkCAPolicies.Count
$result += "Total count of Compliant Network Conditional Access policies: $($compliantNetworkCount)"
# List + Save the list of Compliant Network Conditional Access policies to the C:\BreakGlass folder for use in .\breakglass.ps1
foreach ($policy in $allCompliantNetworkCAPolicies)
{
$current = Get-MgBetaIdentityConditionalAccessPolicy -ConditionalAccessPolicyId $policy.id
$currentState = $current.state
$currentTime = Get-Date
$policyContent = "{0},{1},{2},{3},{4}" -f $policy.displayName, $policy.id, "Current State: $($currentState) at $($currentTime)", $policy.CreatedDateTime, $policy.ModifiedDateTime
$result += $policyContent
Write-Host "CA Policy with ID: $($policy.id) (state: $($current.state)) uses the Compliant Network Condition. Policy name: $($policy.displayName)"
}
$result += " "
$path = "C:\BreakGlass\ListCompliantNetworkCAPolicies.txt"
if (Test-Path $path)
{
$result | Out-File -FilePath $path
} else {
New-Item -Force -Path $path -Type File
$result | Out-File -FilePath $path
}
Write-Host "`nList of Compliant NW policies has been exported to C:\BreakGlass\ListCompliantNetworkCAPolicies.txt`n"
$result = @()
$timeRun = Get-Date
$result += "Script was run at $($timeRun)"
$count = 0
$result += "Total count of Compliant Network Conditional Access policies: $($allCompliantNetworkCAPolicies.Count)"
# Based on admin input, disable either all or some Conditional Access policies leveraging the Compliant Network Condition.
$action = Read-Host "Do you want to put all enabled compliant network Conditional Access policies in Report-Only mode (type 'all') or just specific policy IDs (type 'ids')?"
if ($action -eq "all")
{
foreach ($policy in $allCompliantNetworkCAPolicies)
{
if ($policy)
{
#only BreakGlass if policy is already enabled
if ($policy.state -eq "enabled")
{
$params = @{
state = "enabledForReportingButNotEnforced"
}
$current = Get-MgBetaIdentityConditionalAccessPolicy -ConditionalAccessPolicyId $policy.id
$currentState = $current.state
$currentTime = Get-Date
Update-MgBetaIdentityConditionalAccessPolicy -ConditionalAccessPolicyId $policy.id -BodyParameter $params
$updatedTime = Get-Date
$check = Get-MgBetaIdentityConditionalAccessPolicy -ConditionalAccessPolicyId $policy.id
$updatedState = $check.state
if ($updatedState -eq "enabledForReportingButNotEnforced")
{
$policyContent = "{0},{1},{2},{3},{4},{5}" -f $policy.displayName, $policy.id, $policy.CreatedDateTime, $policy.ModifiedDateTime, "Before BreakGlass: $($currentState) at $($currentTime)", "After BreakGlass: $($updatedState) at $($updatedTime)"
$result += $policyContent
$count++
Write-Host "Policy with ID $($policy.id) is now in Report-Only mode"
} else {
Write-Host "Policy with ID $($policy.id) could not be put in Report-Only mode"
}
} else {
Write-Host "Policy with ID $($policy.id) is already Disabled or Report-Only."
}
} else {
Write-Host "Policy with ID $($policy.id) was not found."
}
}
} elseif ($action -eq "ids") {
$policyIds = Read-Host "Enter the IDs of the policies you want to put in Report-Only mode (separated by commas)"
$policyIds = $policyIds -split ","
foreach ($id in $policyIds)
{
$policy = $allCompliantNetworkCAPolicies | Where-Object { $_.id -eq $id }
if ($policy)
{
if ($policy.state -eq "enabled")
{
$params = @{
state = "enabledForReportingButNotEnforced"
}
$current = Get-MgBetaIdentityConditionalAccessPolicy -ConditionalAccessPolicyId $policy.id
$currentState = $current.state
$currentTime = Get-Date
Update-MgBetaIdentityConditionalAccessPolicy -ConditionalAccessPolicyId $policy.id -BodyParameter $params
$updatedTime = Get-Date
$check = Get-MgBetaIdentityConditionalAccessPolicy -ConditionalAccessPolicyId $policy.id
$updatedState = $check.state
if ($updatedState -eq "enabledForReportingButNotEnforced")
{
$policyContent = "{0},{1},{2},{3},{4},{5}" -f $policy.displayName, $policy.id, $policy.CreatedDateTime, $policy.ModifiedDateTime, "Before BreakGlass: $($currentState) at $($currentTime)", "After BreakGlass: $($updatedState) at $($updatedTime)"
$result += $policyContent
$count++
Write-Host "Policy with ID $($policy.id) is now in Report-Only mode."
} else {
Write-Host "Policy with ID $($policy.id) could not be put in Report-Only mode"
}
} else {
Write-Host "Policy with ID $($policy.id) is already Disabled or Report-Only."
}
} else {
Write-Host "Policy with ID $id not found."
}
}
} else {
Write-Host "Invalid action. Please type 'all' or 'ids'."
}
# Save the list of Compliant Network Conditional Access policies that were moved to Report-Only mode to the C:\BreakGlass folder for use in .\breakglass.ps1
$result += "Number of policies placed in Report-Only mode: $($count)"
$path = "C:\BreakGlass\ReportOnlyCompliantNetworkCAPolicies.txt"
if (Test-Path $path)
{
$result | Out-File -FilePath $path
} else {
New-Item -Force -Path $path -Type File
$result | Out-File -FilePath $path
}
Write-Host "`nCA policy disablement results have been exported to C:\BreakGlass\ReportOnlyCompliantNetworkCAPolicies.txt`n"
# Disable Traffic Profiles
$forwardingResult = @()
$timeRun = Get-Date
$result = "Script was run at $($timeRun)`n"
$forwardingProfiles = Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/beta/networkaccess/forwardingprofiles"
foreach ($profile in $forwardingProfiles.value)
{
if ($profile.state -eq "enabled") {
$body = @{ state = "disabled" } | ConvertTo-Json
$check = Invoke-MgGraphRequest -Method PATCH -Uri "https://graph.microsoft.com/beta/networkaccess/forwardingprofiles/$($profile.id)" -Body $body -ContentType "application/json"
if ($check.state -eq "disabled") {
$profileContent = "{0},{1},{2}`n" -f $profile.name, $profile.id, $profile.lastModifiedDateTime
$result += $profileContent
Write-Host "$($profile.name) is now disabled."
} else {
Write-Host "$($profile.name) can't be disabled."
}
} else{
Write-Host "$($profile.name) is already disabled."
}
}
# Save the list of disabled Forwarding profiles to C:\BreakGlass folder
$path = "C:\BreakGlass\DisabledForwardingProfiles.txt"
if (Test-Path $path)
{
$result | Out-File -FilePath $path
} else {
New-Item -Force -Path $path -Type File
$result | Out-File -FilePath $path
}
Write-Host "`nDisabled Forwarding Profiles have been exported to C:\BreakGlass\DisabledForwardingProfiles.txt`n"