AAD Conditional Access github GraphAPI

Testing: Conditional Access Automation with Node.JS and Github

I decided to write small preview blog on automation of CA policies with NodeJS and Github (Github actions later)


  • Azure AD Graph Client with certificate backed Azure AD ServicePrincipal Node.js GitHub Repo: Azure AD Client Credentials With Certificate
  • NodeJS runtime ”CA Manager”
    • This will eventually be converted to Github actions with Javascript. For test I contained all logic to NodeJS app called CA Manager.
    • CA manager takes care of matching shadow policies, and production policies. Generalization of Policy files (lot of fields to omit, mapping id’s and displayName etc)
    • CA manager syncs policies after pull request has been approved
    • CA Manager uses Conditional Access Graph API’s and octokit/core for GitHub automation
    • In the demo I did breakdown of each CA Manager function by invoking them from command line (these would be individual GitHub Javascript actions later, if I understood the feature correctly)

Demo of tooling

  • Shadow policy is changed
  • CA manager syncs the change in to shadow branch and creates a pull request, which is then merged with main branch after reviewing the change
  • Changes are pulled from main which was merged with shadow branch
  • CA Manager runs the updater policy
  • Admin views the updated policy in Conditional Access view


Why not Azure Devops? I Will definitely look into Azure Devops, but for now the promise of native Javascript in GitHub actions is a winner for me. With Devops I would have to invoke NodeJS from Powershell, and ensure STDOUT etc, are correctly outputted (this might be trivial in the end)

  • Downsides of GitHub implementation
    • The API I use to create the Pull requests uses personal access tokens, which are just text strings (just like clientid and secret). Since I am already using certificate backed Azure AD client credentials I will have to look into bringing in the GitHub implementation to same level. Maybe there is possibility of using JWT tokens for GitHub API.


Will be continued once I’ve tested the NodeJS code used here with GitHub actions.

This post was inspired by Ignite20 session regarding similar concept on LogicApps, and some discussions I’ve had with @samilamppu and with ThomasNaunheim

0 comments on “Testing: Conditional Access Automation with Node.JS and Github


Täytä tietosi alle tai klikkaa kuvaketta kirjautuaksesi sisään:


Olet kommentoimassa WordPress.com -tilin nimissä. Log Out /  Muuta )


Olet kommentoimassa Twitter -tilin nimissä. Log Out /  Muuta )


Olet kommentoimassa Facebook -tilin nimissä. Log Out /  Muuta )

Muodostetaan yhteyttä palveluun %s

%d bloggaajaa tykkää tästä: