:

    Application Management Policies

    In diesem Video zeigen wir euch, wie ihr App Management Policies in Entra ID konfiguriert, um Sicherheitseinstellungen für registrierte Apps und Service Principals festzulegen. Ihr erfahrt:

    • Was sind App Management Policies? Einschränkungen für Authentifizierungsmethoden konfigurieren
    • Tenantweite Richtlinien setzen: Maximale Laufzeit für App-Secrets begrenzen
    • Spezifische Richtlinien für einzelne Apps: Wann Ausnahmen erlaubt sind
    • Graph PowerShell nutzen: Schritt-für-Schritt zur sicheren App-Registrierung




    Benötigst du Unterstützung?

    Melde dich bei uns!



    Im Script musst du, wie im Video gezeigt, die entsprechenden Variablen anpassen.

    Configure-AppManagementPolicies.ps1

    Install-Module Microsoft.Graph
    
    Import-Module Microsoft.Graph.Identity.SignIns
    
    # Connect to Microsoft Graph
    Connect-MgGraph -Scopes "Policy.ReadWrite.ApplicationConfiguration"
    
    #################################### Tenant wide policy ####################################
    
    # Get current state of the tenant wide app management policy
    Get-MgPolicyDefaultAppManagementPolicy | fl
    
    # Update the tenant wide app management policy
    $params = @{
    	isEnabled = $true
    
        # Application restrictions target applications owned by this tenant
    	applicationRestrictions = @{
    		passwordCredentials = @(
    			@{
    			 	# Restrict password addition to apps created after a certain date
    				restrictionType = "passwordAddition"
    				maxLifetime = $null
    				restrictForAppsCreatedAfterDateTime = [System.DateTime]::Parse("2025-01-01T10:37:00Z")
    			}
    			@{
                
    				restrictionType = "passwordLifetime"
    				# Restrict password lifetime in ISO 8601 format (https://tc39.es/proposal-temporal/docs/duration.html)
                    maxLifetime = "P4DT12H30M5S"
    				restrictForAppsCreatedAfterDateTime = [System.DateTime]::Parse("2017-01-01T00:00:00Z")
    			}
    			@{
    				restrictionType = "symmetricKeyAddition"
    				maxLifetime = $null
    				restrictForAppsCreatedAfterDateTime = [System.DateTime]::Parse("2017-01-01T00:00:00Z")
    			}
    			@{
    				restrictionType = "customPasswordAddition"
    				maxLifetime = $null
    				restrictForAppsCreatedAfterDateTime = [System.DateTime]::Parse("2015-01-01T10:37:00Z")
    			}
    			@{
    				restrictionType = "symmetricKeyLifetime"
    				maxLifetime = "P40D"
    				restrictForAppsCreatedAfterDateTime = [System.DateTime]::Parse("2015-01-01T10:37:00Z")
    			}
    		)
    		keyCredentials = @(
    			@{
    				restrictionType = "asymmetricKeyLifetime"
    				maxLifetime = "P1Y"
    				restrictForAppsCreatedAfterDateTime = [System.DateTime]::Parse("2015-01-01T10:37:00Z")
    			}
    		)
    	}
        ## Service principal restrictions target service principals owned by any other tenant
        #servicePrincipalRestrictions = @{
    
        #}    
    }
    
    Update-MgPolicyDefaultAppManagementPolicy -BodyParameter $params
    
    
    #################################### Application specific policy ####################################
    
    # Create a new app management policy
    
    $params = @{
    	displayName = "Control Secret Creation"
    	description = "Allow Secret Creation and Limit Secret Lifetime"
    	isEnabled = $true
    	restrictions = @{
    		passwordCredentials = @(
    			@{
    				restrictionType = "passwordAddition"
    				state = "enabled"
    				maxLifetime = $null
    				restrictForAppsCreatedAfterDateTime = [System.DateTime]::Parse("2023-01-01T13:37:00Z")
    			}
    			@{
                    # Restrict password lifetime in ISO 8601 format (https://tc39.es/proposal-temporal/docs/duration.html)
    				restrictionType = "passwordLifetime"
    				state = "enabled"
    				maxLifetime = "P1Y6M15D"
    				restrictForAppsCreatedAfterDateTime = [System.DateTime]::Parse("2018-01-01T13:37:00Z")
    			}
    		)
    		keyCredentials = @(
    		)
    		
    	}
    }
    
    # Create the app management policy and retrieve the ID
    $appManagementPolicyId = (New-MgPolicyAppManagementPolicy -BodyParameter $params).Id
    
    
    # Update the app management policy - only after changing the restrictions
    $appManagementPolicyId = "b1b3b3b3-3b3b3-b3b3b3-b"
    Update-MgPolicyAppManagementPolicy -AppManagementPolicyId $appManagementPolicyId -BodyParameter $params
    
    
    # Create a new app management policy assignment (bind policy to app)
    $params = @{
    	"@odata.id" = "https://graph.microsoft.com/v1.0/policies/appManagementPolicies/$appManagementPolicyId"
    }
    # Object ID (not application ID!) of the app to which the policy is assigned
    $applicationObjectId = "b1b3b3b3-3b3b3-b3b3b3-b"
    
    New-MgApplicationAppManagementPolicyByRef -ApplicationId $applicationObjectId -BodyParameter $params