Application Management Policies
In diesem Video zeigen wir euch, wie ihr App Management Policies in Entra ID konfiguriert, um Sicherheitseinstellungen für registrierte Apps und Service Principals festzulegen. Ihr erfahrt:
- Was sind App Management Policies? Einschränkungen für Authentifizierungsmethoden konfigurieren
- Tenantweite Richtlinien setzen: Maximale Laufzeit für App-Secrets begrenzen
- Spezifische Richtlinien für einzelne Apps: Wann Ausnahmen erlaubt sind
- Graph PowerShell nutzen: Schritt-für-Schritt zur sicheren App-Registrierung
Benötigst du Unterstützung?
Melde dich bei uns!
Im Script musst du, wie im Video gezeigt, die entsprechenden Variablen anpassen.
Configure-AppManagementPolicies.ps1
Install-Module Microsoft.Graph
Import-Module Microsoft.Graph.Identity.SignIns
# Connect to Microsoft Graph
Connect-MgGraph -Scopes "Policy.ReadWrite.ApplicationConfiguration"
#################################### Tenant wide policy ####################################
# Get current state of the tenant wide app management policy
Get-MgPolicyDefaultAppManagementPolicy | fl
# Update the tenant wide app management policy
$params = @{
isEnabled = $true
# Application restrictions target applications owned by this tenant
applicationRestrictions = @{
passwordCredentials = @(
@{
# Restrict password addition to apps created after a certain date
restrictionType = "passwordAddition"
maxLifetime = $null
restrictForAppsCreatedAfterDateTime = [System.DateTime]::Parse("2025-01-01T10:37:00Z")
}
@{
restrictionType = "passwordLifetime"
# Restrict password lifetime in ISO 8601 format (https://tc39.es/proposal-temporal/docs/duration.html)
maxLifetime = "P4DT12H30M5S"
restrictForAppsCreatedAfterDateTime = [System.DateTime]::Parse("2017-01-01T00:00:00Z")
}
@{
restrictionType = "symmetricKeyAddition"
maxLifetime = $null
restrictForAppsCreatedAfterDateTime = [System.DateTime]::Parse("2017-01-01T00:00:00Z")
}
@{
restrictionType = "customPasswordAddition"
maxLifetime = $null
restrictForAppsCreatedAfterDateTime = [System.DateTime]::Parse("2015-01-01T10:37:00Z")
}
@{
restrictionType = "symmetricKeyLifetime"
maxLifetime = "P40D"
restrictForAppsCreatedAfterDateTime = [System.DateTime]::Parse("2015-01-01T10:37:00Z")
}
)
keyCredentials = @(
@{
restrictionType = "asymmetricKeyLifetime"
maxLifetime = "P1Y"
restrictForAppsCreatedAfterDateTime = [System.DateTime]::Parse("2015-01-01T10:37:00Z")
}
)
}
## Service principal restrictions target service principals owned by any other tenant
#servicePrincipalRestrictions = @{
#}
}
Update-MgPolicyDefaultAppManagementPolicy -BodyParameter $params
#################################### Application specific policy ####################################
# Create a new app management policy
$params = @{
displayName = "Control Secret Creation"
description = "Allow Secret Creation and Limit Secret Lifetime"
isEnabled = $true
restrictions = @{
passwordCredentials = @(
@{
restrictionType = "passwordAddition"
state = "enabled"
maxLifetime = $null
restrictForAppsCreatedAfterDateTime = [System.DateTime]::Parse("2023-01-01T13:37:00Z")
}
@{
# Restrict password lifetime in ISO 8601 format (https://tc39.es/proposal-temporal/docs/duration.html)
restrictionType = "passwordLifetime"
state = "enabled"
maxLifetime = "P1Y6M15D"
restrictForAppsCreatedAfterDateTime = [System.DateTime]::Parse("2018-01-01T13:37:00Z")
}
)
keyCredentials = @(
)
}
}
# Create the app management policy and retrieve the ID
$appManagementPolicyId = (New-MgPolicyAppManagementPolicy -BodyParameter $params).Id
# Update the app management policy - only after changing the restrictions
$appManagementPolicyId = "b1b3b3b3-3b3b3-b3b3b3-b"
Update-MgPolicyAppManagementPolicy -AppManagementPolicyId $appManagementPolicyId -BodyParameter $params
# Create a new app management policy assignment (bind policy to app)
$params = @{
"@odata.id" = "https://graph.microsoft.com/v1.0/policies/appManagementPolicies/$appManagementPolicyId"
}
# Object ID (not application ID!) of the app to which the policy is assigned
$applicationObjectId = "b1b3b3b3-3b3b3-b3b3b3-b"
New-MgApplicationAppManagementPolicyByRef -ApplicationId $applicationObjectId -BodyParameter $params