Application Management Policies

Install-Module Microsoft.Graph

Import-Module Microsoft.Graph.Identity.SignIns

# Connect to Microsoft Graph
Connect-MgGraph -Scopes "Policy.ReadWrite.ApplicationConfiguration"

#################################### Tenant wide policy ####################################

# Get current state of the tenant wide app management policy
Get-MgPolicyDefaultAppManagementPolicy | fl

# Update the tenant wide app management policy
$params = @{
	isEnabled = $true

    # Application restrictions target applications owned by this tenant
	applicationRestrictions = @{
		passwordCredentials = @(
			@{
			 	# Restrict password addition to apps created after a certain date
				restrictionType = "passwordAddition"
				maxLifetime = $null
				restrictForAppsCreatedAfterDateTime = [System.DateTime]::Parse("2025-01-01T10:37:00Z")
			}
			@{
            
				restrictionType = "passwordLifetime"
				# Restrict password lifetime in ISO 8601 format (https://tc39.es/proposal-temporal/docs/duration.html)
                maxLifetime = "P4DT12H30M5S"
				restrictForAppsCreatedAfterDateTime = [System.DateTime]::Parse("2017-01-01T00:00:00Z")
			}
			@{
				restrictionType = "symmetricKeyAddition"
				maxLifetime = $null
				restrictForAppsCreatedAfterDateTime = [System.DateTime]::Parse("2017-01-01T00:00:00Z")
			}
			@{
				restrictionType = "customPasswordAddition"
				maxLifetime = $null
				restrictForAppsCreatedAfterDateTime = [System.DateTime]::Parse("2015-01-01T10:37:00Z")
			}
			@{
				restrictionType = "symmetricKeyLifetime"
				maxLifetime = "P40D"
				restrictForAppsCreatedAfterDateTime = [System.DateTime]::Parse("2015-01-01T10:37:00Z")
			}
		)
		keyCredentials = @(
			@{
				restrictionType = "asymmetricKeyLifetime"
				maxLifetime = "P1Y"
				restrictForAppsCreatedAfterDateTime = [System.DateTime]::Parse("2015-01-01T10:37:00Z")
			}
		)
	}
    ## Service principal restrictions target service principals owned by any other tenant
    #servicePrincipalRestrictions = @{

    #}    
}

Update-MgPolicyDefaultAppManagementPolicy -BodyParameter $params


#################################### Application specific policy ####################################

# Create a new app management policy

$params = @{
	displayName = "Control Secret Creation"
	description = "Allow Secret Creation and Limit Secret Lifetime"
	isEnabled = $true
	restrictions = @{
		passwordCredentials = @(
			@{
				restrictionType = "passwordAddition"
				state = "enabled"
				maxLifetime = $null
				restrictForAppsCreatedAfterDateTime = [System.DateTime]::Parse("2023-01-01T13:37:00Z")
			}
			@{
                # Restrict password lifetime in ISO 8601 format (https://tc39.es/proposal-temporal/docs/duration.html)
				restrictionType = "passwordLifetime"
				state = "enabled"
				maxLifetime = "P1Y6M15D"
				restrictForAppsCreatedAfterDateTime = [System.DateTime]::Parse("2018-01-01T13:37:00Z")
			}
		)
		keyCredentials = @(
		)
		
	}
}

# Create the app management policy and retrieve the ID
$appManagementPolicyId = (New-MgPolicyAppManagementPolicy -BodyParameter $params).Id


# Update the app management policy - only after changing the restrictions
$appManagementPolicyId = "b1b3b3b3-3b3b3-b3b3b3-b"
Update-MgPolicyAppManagementPolicy -AppManagementPolicyId $appManagementPolicyId -BodyParameter $params


# Create a new app management policy assignment (bind policy to app)
$params = @{
	"@odata.id" = "https://graph.microsoft.com/v1.0/policies/appManagementPolicies/$appManagementPolicyId"
}
# Object ID (not application ID!) of the app to which the policy is assigned
$applicationObjectId = "b1b3b3b3-3b3b3-b3b3b3-b"

New-MgApplicationAppManagementPolicyByRef -ApplicationId $applicationObjectId -BodyParameter $params