Menambahkan aturan penyampingan kustom ke Akses Internet Aman Global

Ikhtisar

Skrip PowerShell ini menunjukkan cara menambahkan aturan bypass kustom secara terprogram ke kebijakan penerusan Akses Internet Microsoft Entra. Skrip menemukan kebijakan penerusan "Bypass Kustom" dan menambahkan aturan sampel agar bisa melewati domain yang ditentukan.

Sampel memerlukan modul Microsoft Graph Beta PowerShell 2.10 atau yang lebih baru.

Pertimbangan penting

  • Jalankan skrip PowerShell sebagai Administrator dari sesi PowerShell dengan hak akses tinggi.
  • Pastikan Anda menginstal modul Microsoft.Graph.Beta:
    Install-Module Microsoft.Graph.Beta -AllowClobber -Force
    
  • Akun yang digunakan untuk Connect-MgGraph harus memiliki izin berikut:
    • Kebijakan.Baca.Semua
    • AksesJaringan.BacaTulis.Semua

Contoh skrip

# bypassscript.ps1 adds sample endpoints to the custom bypass policy in the internet access forwarding profile
# 
# Version 1.0
# 
# This script requires following 
#    - PowerShell 5.1 (x64) or beyond
#    - Module: Microsoft.Graph.Beta
#
# Before you begin:
# - Make sure you are running PowerShell as an Administrator
# - Make sure you run: Install-Module Microsoft.Graph.Beta -AllowClobber -Force
# - Make sure the account used for Connect-MgGraph has the following permissions:
#   - Policy.Read.All
#   - NetworkAccess.ReadWrite.All
# 
if (-not (Get-Module -ListAvailable -Name Microsoft.Graph.Beta.Identity.SignIns)) {
    Write-Host "Module Microsoft.Graph.Beta.Identity.SignIns is not installed. Please install it using: Install-Module Microsoft.Graph.Beta -AllowClobber"
    exit
}
Import-Module Microsoft.Graph.Beta.Identity.SignIns
Connect-MgGraph -Scopes "Policy.Read.All,NetworkAccess.ReadWrite.All"

# Find out custom bypass forwarding policy id
$custombypass = $null
$forwardingpolicies = Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/beta/networkaccess/forwardingpolicies"
foreach ($policy in $forwardingpolicies.value) {
	if ($policy.name -eq "Custom Bypass"){
		$custombypass = $policy.id
	}
}
if ($custombypass -eq $null) {
	Write-Host "Could not find the IA custom bypass forwarding policy. Exiting."
	exit
}

# First, Bypass the Intune endpoints
$samplerule = [PSCustomObject]@{
    name = "Sample FQDN bypass rule"
    action = "bypass"
    destinations = @()
    ruleType = "fqdn"
    ports = @("80", "443")
    protocol = "tcp"
    '@odata.type' = "#microsoft.graph.networkaccess.internetAccessForwardingRule"
}
$sampledomains = @(
	"bing.com",
	"*.bing.com"
)

foreach ($sampledomain in $sampledomains) {
	$fqdn = [PSCustomObject]@{
	   '@odata.type' = "#microsoft.graph.networkaccess.fqdn"
	   value = $sampledomain
	}
	$samplerule.destinations += $fqdn
}
$body = $samplerule | ConvertTo-Json
Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/beta/networkaccess/forwardingPolicies('$($custombypass)')/policyRules" -Body $body -ContentType "application/json"

# Next, Bypass the sample IP-based endpoints
$sampleipbypassrule = [PSCustomObject]@{
    name = "Sample IP bypass rule"
    action = "bypass"
    destinations = @()
    ruleType = "ipSubnet"
    ports = @("80", "443")
    protocol = "tcp"
    '@odata.type' = "#microsoft.graph.networkaccess.internetAccessForwardingRule"
}
$sampleipbypassdomains = @(
	"1.2.3.4/32"
)
foreach ($sampleipbypassdomain in $sampleipbypassdomains) {
	$ip = [PSCustomObject]@{
	   '@odata.type' = "#microsoft.graph.networkaccess.ipSubnet"
	   value = $sampleipbypassdomain
	}
	$sampleipbypassrule.destinations += $ip
}
$body = $sampleipbypassrule | ConvertTo-Json
Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/beta/networkaccess/forwardingPolicies('$($custombypass)')/policyRules" -Body $body -ContentType "application/json"

Langkah selanjutnya