AADConditionalAccessPolicy: BuiltInControls with value "passwordChange" failed with BadRequest error
gbs916 opened this issue · 1 comments
gbs916 commented
Description of the issue
I want to create a policy which requests a password change when the userRisk is high.
As soon I set the BuiltInControls to passwordChange, the deployement failed. If I put "mfa" instead of passwordChange it works and the policy is created.
BuiltInControls = @("passwordChange"); => failed
BuiltInControls = @("mfa"); => works
The value passwordChange is provided by ma configuration export ran with Export-M365DSCConfiguration -Components @("AADConditionalAccessPolicy")
Microsoft 365 DSC Version
1.24.424.1
Which workloads are affected
Azure Active Directory (Entra ID)
The DSC configuration
AADConditionalAccessPolicy "AADConditionalAccessPolicy-Require MFA and password change for high risk users"
{
AuthenticationContexts = @();
AuthenticationStrength = "Multifactor authentication";
BuiltInControls = @("passwordChange");
ClientAppTypes = @("all");
CloudAppSecurityType = "";
Credential = $Credscredential;
CustomAuthenticationFactors = @();
DeviceFilterRule = "";
DisplayName = "Require MFA and password change for high risk users";
Ensure = "Present";
ExcludeApplications = @();
ExcludeExternalTenantsMembers = @();
ExcludeExternalTenantsMembershipKind = "all";
ExcludeGroups = @("GPAZ-AzureAD-MFA-Bypass");
ExcludeGuestOrExternalUserTypes = @("b2bCollaborationGuest");
ExcludeLocations = @();
ExcludePlatforms = @();
ExcludeRoles = @();
ExcludeUsers = @();
GrantControlOperator = "AND";
Id = "";
IncludeApplications = @("All");
IncludeExternalTenantsMembers = @();
IncludeExternalTenantsMembershipKind = "";
IncludeGroups = @();
IncludeLocations = @();
IncludePlatforms = @();
IncludeRoles = @();
IncludeUserActions = @();
IncludeUsers = @("All");
PersistentBrowserMode = "";
SignInFrequencyInterval = "everyTime";
SignInFrequencyIsEnabled = $True;
SignInFrequencyType = "";
SignInRiskLevels = @();
State = "enabled";
UserRiskLevels = @("high");
}Verbose logs showing the problem
##[error][BadRequest] : The server could not process the request because it is malformed or incorrect.
+ CategoryInfo : InvalidOperation: ({ ConditionalAc...lAccessPolicy }:) [], CimException
+ FullyQualifiedErrorId : BadRequest,Microsoft.Graph.Beta.PowerShell.Cmdlets.UpdateMgBetaIdentityConditionalAccess
Policy_UpdateExpanded
+ PSComputerName : localhost
VERBOSE: [fv-az623-346]:
[[AADConditionalAccessPolicy]CAP002-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime::[EntraID]EntraID_Co
nfiguration] Set-Targetresource: Finished processing Policy
CAP002-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime
VERBOSE: [fv-az623-346]: LCM: [ End Set ]
[[AADConditionalAccessPolicy]CAP002-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime::[EntraID]EntraID_Co
nfiguration] in 1.4090 seconds.
##[error]The PowerShell DSC resource '[AADConditionalAccessPolicy]CAP002-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEv
eryTime::[EntraID]EntraID_Configuration' with SourceInfo
'D:\a\1\s\M365Config\0.0.1\DSCResources\EntraID\EntraID.schema.psm1::45::17::AADConditionalAccessPolicy' threw one or
more non-terminating errors while running the Set-TargetResource functionality. These errors are logged to the ETW
channel called Microsoft-Windows-DSC/Operational. Refer to this channel for more details.
+ CategoryInfo : InvalidOperation: (:) [], CimException
+ FullyQualifiedErrorId : NonTerminatingErrorFromProvider
+ PSComputerName : localhost
VERBOSE: [fv-az623-346]: LCM: [ Start Resource ]
[[AADConditionalAccessPolicy]CAP003-Global-AllApps-SignInRiskMediumAndHigh-MFA-FreqEveryTime::[EntraID]EntraID_Configur
ation]Environment Information + PowerShell Version
No response
gbs916 commented
Solved