如果 Microsoft Entra Internet Access 发生中断或连接失败,你的用户仍然受到保护。 但是,你可能想要执行“打破玻璃”操作:暂时禁用流量转发配置文件并禁用合规网络条件策略可帮助用户重新获得对其 Microsoft 应用的访问权限,从而提高工作效率。
你可以在下面查看一个示例脚本,该脚本有助你快速禁用流量转发,并使用合规网络条件将条件访问策略切换为仅限报告模式。
在打破玻璃应用场景中使用合规网络条件列出和禁用条件访问策略
PowerShell 脚本可有效禁用使用合规网络条件的任何条件访问策略。 在紧急情况下,此脚本可用于临时重新获得用户的访问权限。
此示例需要 Microsoft Graph Beta PowerShell 模块 2.10 或更高版本。
# gsabreakglass.ps1 places the Compliant Network Conditional Access Policies for a given tenant using Microsoft Entra Internet Access into Report-Only mode.
#
# Version 1.0
#
# This script requires following
# - PowerShell 5.1 (x64) or beyond
# - Module: Microsoft.Graph.Beta
#
#
# Before you begin:
#
# - Make sure you are running PowerShell as an Administrator
# - Make sure your Administrator persona is an leveraging an Entra ID emergency access admin account, not subject to Microsoft Entra Internet Access Compliant Network policy, as described in https://learn.microsoft.com/entra/identity/role-based-access-control/security-emergency-access.
# - Make sure you run: Install-Module Microsoft.Graph.Beta -AllowClobber -Force
Import-Module Microsoft.Graph.Beta.Identity.SignIns
Connect-MgGraph -Scopes "Policy.Read.All,Policy.ReadWrite.ConditionalAccess,NetworkAccess.ReadWrite.All"
$result = @()
$timeRun = Get-Date
$result += "Script was run at $($timeRun)"
$count = 0
# Search for any Conditional Access policies leveraging the Compliant Network condition.
$allCAPolicies = Get-MgBetaIdentityConditionalAccessPolicy
$allCompliantNetworkCAPolicies = @()
foreach ($policy in $allCAPolicies)
{
if ($policy.conditions.locations.excludeLocations -Contains "3d46dbda-8382-466a-856d-eb00cbc6b910" -or $policy.conditions.locations.includeLocations -Contains "3d46dbda-8382-466a-856d-eb00cbc6b910")
{
$allCompliantNetworkCAPolicies += $policy
}
}
$compliantNetworkCount = $allCompliantNetworkCAPolicies.Count
$result += "Total count of Compliant Network Conditional Access policies: $($compliantNetworkCount)"
# List + Save the list of Compliant Network Conditional Access policies to the C:\BreakGlass folder for use in .\breakglass.ps1
foreach ($policy in $allCompliantNetworkCAPolicies)
{
$current = Get-MgBetaIdentityConditionalAccessPolicy -ConditionalAccessPolicyId $policy.id
$currentState = $current.state
$currentTime = Get-Date
$policyContent = "{0},{1},{2},{3},{4}" -f $policy.displayName, $policy.id, "Current State: $($currentState) at $($currentTime)", $policy.CreatedDateTime, $policy.ModifiedDateTime
$result += $policyContent
Write-Host "CA Policy with ID: $($policy.id) (state: $($current.state)) uses the Compliant Network Condition. Policy name: $($policy.displayName)"
}
$result += " "
$path = "C:\BreakGlass\ListCompliantNetworkCAPolicies.txt"
if (Test-Path $path)
{
$result | Out-File -FilePath $path
} else {
New-Item -Force -Path $path -Type File
$result | Out-File -FilePath $path
}
Write-Host "`nList of Compliant NW policies has been exported to C:\BreakGlass\ListCompliantNetworkCAPolicies.txt`n"
$result = @()
$timeRun = Get-Date
$result += "Script was run at $($timeRun)"
$count = 0
$result += "Total count of Compliant Network Conditional Access policies: $($allCompliantNetworkCAPolicies.Count)"
# Based on admin input, disable either all or some Conditional Access policies leveraging the Compliant Network Condition.
$action = Read-Host "Do you want to put all enabled compliant network Conditional Access policies in Report-Only mode (type 'all') or just specific policy IDs (type 'ids')?"
if ($action -eq "all")
{
foreach ($policy in $allCompliantNetworkCAPolicies)
{
if ($policy)
{
#only BreakGlass if policy is already enabled
if ($policy.state -eq "enabled")
{
$params = @{
state = "enabledForReportingButNotEnforced"
}
$current = Get-MgBetaIdentityConditionalAccessPolicy -ConditionalAccessPolicyId $policy.id
$currentState = $current.state
$currentTime = Get-Date
Update-MgBetaIdentityConditionalAccessPolicy -ConditionalAccessPolicyId $policy.id -BodyParameter $params
$updatedTime = Get-Date
$check = Get-MgBetaIdentityConditionalAccessPolicy -ConditionalAccessPolicyId $policy.id
$updatedState = $check.state
if ($updatedState -eq "enabledForReportingButNotEnforced")
{
$policyContent = "{0},{1},{2},{3},{4},{5}" -f $policy.displayName, $policy.id, $policy.CreatedDateTime, $policy.ModifiedDateTime, "Before BreakGlass: $($currentState) at $($currentTime)", "After BreakGlass: $($updatedState) at $($updatedTime)"
$result += $policyContent
$count++
Write-Host "Policy with ID $($policy.id) is now in Report-Only mode"
} else {
Write-Host "Policy with ID $($policy.id) could not be put in Report-Only mode"
}
} else {
Write-Host "Policy with ID $($policy.id) is already Disabled or Report-Only."
}
} else {
Write-Host "Policy with ID $($policy.id) was not found."
}
}
} elseif ($action -eq "ids") {
$policyIds = Read-Host "Enter the IDs of the policies you want to put in Report-Only mode (separated by commas)"
$policyIds = $policyIds -split ","
foreach ($id in $policyIds)
{
$policy = $allCompliantNetworkCAPolicies | Where-Object { $_.id -eq $id }
if ($policy)
{
if ($policy.state -eq "enabled")
{
$params = @{
state = "enabledForReportingButNotEnforced"
}
$current = Get-MgBetaIdentityConditionalAccessPolicy -ConditionalAccessPolicyId $policy.id
$currentState = $current.state
$currentTime = Get-Date
Update-MgBetaIdentityConditionalAccessPolicy -ConditionalAccessPolicyId $policy.id -BodyParameter $params
$updatedTime = Get-Date
$check = Get-MgBetaIdentityConditionalAccessPolicy -ConditionalAccessPolicyId $policy.id
$updatedState = $check.state
if ($updatedState -eq "enabledForReportingButNotEnforced")
{
$policyContent = "{0},{1},{2},{3},{4},{5}" -f $policy.displayName, $policy.id, $policy.CreatedDateTime, $policy.ModifiedDateTime, "Before BreakGlass: $($currentState) at $($currentTime)", "After BreakGlass: $($updatedState) at $($updatedTime)"
$result += $policyContent
$count++
Write-Host "Policy with ID $($policy.id) is now in Report-Only mode."
} else {
Write-Host "Policy with ID $($policy.id) could not be put in Report-Only mode"
}
} else {
Write-Host "Policy with ID $($policy.id) is already Disabled or Report-Only."
}
} else {
Write-Host "Policy with ID $id not found."
}
}
} else {
Write-Host "Invalid action. Please type 'all' or 'ids'."
}
# Save the list of Compliant Network Conditional Access policies that were moved to Report-Only mode to the C:\BreakGlass folder for use in .\breakglass.ps1
$result += "Number of policies placed in Report-Only mode: $($count)"
$path = "C:\BreakGlass\ReportOnlyCompliantNetworkCAPolicies.txt"
if (Test-Path $path)
{
$result | Out-File -FilePath $path
} else {
New-Item -Force -Path $path -Type File
$result | Out-File -FilePath $path
}
Write-Host "`nCA policy disablement results have been exported to C:\BreakGlass\ReportOnlyCompliantNetworkCAPolicies.txt`n"
# Disable Traffic Profiles
$forwardingResult = @()
$timeRun = Get-Date
$result = "Script was run at $($timeRun)`n"
$forwardingProfiles = Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/beta/networkaccess/forwardingprofiles"
foreach ($profile in $forwardingProfiles.value)
{
if ($profile.state -eq "enabled") {
$body = @{ state = "disabled" } | ConvertTo-Json
$check = Invoke-MgGraphRequest -Method PATCH -Uri "https://graph.microsoft.com/beta/networkaccess/forwardingprofiles/$($profile.id)" -Body $body -ContentType "application/json"
if ($check.state -eq "disabled") {
$profileContent = "{0},{1},{2}`n" -f $profile.name, $profile.id, $profile.lastModifiedDateTime
$result += $profileContent
Write-Host "$($profile.name) is now disabled."
} else {
Write-Host "$($profile.name) can't be disabled."
}
} else{
Write-Host "$($profile.name) is already disabled."
}
}
# Save the list of disabled Forwarding profiles to C:\BreakGlass folder
$path = "C:\BreakGlass\DisabledForwardingProfiles.txt"
if (Test-Path $path)
{
$result | Out-File -FilePath $path
} else {
New-Item -Force -Path $path -Type File
$result | Out-File -FilePath $path
}
Write-Host "`nDisabled Forwarding Profiles have been exported to C:\BreakGlass\DisabledForwardingProfiles.txt`n"