AADConditionalAccessPolicy: deployment bug since version 1.24.522.1. It's working with 1.24.515.2
gibi916 opened this issue · 5 comments
Description of the issue
I'm not able to use the latest version 1.24.522.1 because I have a deployment bug that I don't have with 1.24.515.2. This only concerns a few conditional access policies with specific configuration. The error I get is :
Set-Targetresource: Failed change policy CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime
If I delete the policy I get the same kind of message but with failed to create policy message.
Without changing anything else except the DSC module version, I have a different result.
I noticed that with module 1.24.522.1 I have an additional property that appears in the verbose log, which is not set with the 1.24.515.2 module. It's this one: includeGuestsOrExternalUsers=$null
Here the log when it's successfully deployed with module 1.24.515.2
Updating existing policy with values: ConditionalAccessPolicyId=8ef2790f-bd61-420e-a63a-7696463ba906
Conditions={Applications={ExcludeApplications=()
IncludeApplications=(All)}
ClientAppTypes=(all)
Platforms=$null
SignInRiskLevels=()
UserRiskLevels=(high)
Users={ExcludeGroups=(4d724a52-9dd2-4a2e-aa66-da1c54ee56ae)
excludeGuestsOrExternalUsers={externalTenants={@odata.type=#microsoft.graph.conditionalAccessAllExternalTenants
membershipKind=all}
guestOrExternalUserTypes=b2bCollaborationGuest}
ExcludeRoles=()
ExcludeUsers=()
IncludeGroups=()
IncludeRoles=()
IncludeUsers=(All)}}
DisplayName=CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime
GrantControls={authenticationStrength={@odata.type=#microsoft.graph.authenticationStrengthPolicy
id=00000000-0000-0000-0000-000000000002}
BuiltInControls=(passwordChange)
Operator=AND}
SessionControls={ApplicationEnforcedRestrictions={}
SignInFrequency={frequencyInterval=everyTime
isEnabled=True}}
State=disabled
VERBOSE: [fv-az631-198]: [[AADConditionalAccessPolicy]CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime::[EntraID]EntraID_Configuration] Set Targetresource: Finished processing Policy CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime
VERBOSE: [fv-az631-198]: LCM: [ End Set ] [[AADConditionalAccessPolicy]CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime::[EntraID]EntraID_Configuration] in 2.0160 seconds.
VERBOSE: [fv-az631-198]: LCM: [ End Resource ] [[AADConditionalAccessPolicy]CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime::[EntraID]EntraID_Configuration]
And the log when it failed with module 1.24.522.1 :
Updating existing policy with values: ConditionalAccessPolicyId=8ef2790f-bd61-420e-a63a-7696463ba906
conditions={applications={excludeApplications=()
includeApplications=(All)}
clientAppTypes=(all)
platforms=$null
signInRiskLevels=()
userRiskLevels=(high)
users={excludeGroups=(4d724a52-9dd2-4a2e-aa66-da1c54ee56ae)
excludeGuestsOrExternalUsers={externalTenants={@odata.type=#microsoft.graph.conditionalAccessAllExternalTenants
membershipKind=all}
guestOrExternalUserTypes=b2bCollaborationGuest}
excludeRoles=()
includeGroups=()
includeGuestsOrExternalUsers=$null
includeRoles=()
includeUsers=(All)}}
displayName=CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime
grantControls={authenticationStrength={@odata.type=#microsoft.graph.authenticationStrengthPolicy
id=00000000-0000-0000-0000-000000000002}
builtInControls=(passwordChange)
operator=AND}
sessionControls={applicationEnforcedRestrictions={}
signInFrequency={frequencyInterval=everyTime
isEnabled=True}}
state=disabled
VERBOSE: [fv-az520-935]: [[AADConditionalAccessPolicy]CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime::[EntraID]EntraID_Configuration] PATCH https://graph.microsoft.com/beta/identity/conditionalAccess/policies/8ef2790f-bd61-420e-a63a-7696463ba906 with 1076-byte payload
VERBOSE: [fv-az520-935]: [[AADConditionalAccessPolicy]CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime::[EntraID]EntraID_Configuration] received 606-byte response of content type application/json
VERBOSE: [fv-az520-935]: [[AADConditionalAccessPolicy]CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime::[EntraID]EntraID_Configuration] Set-Targetresource: Failed change policy
CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime
VERBOSE: [fv-az520-935]: [[AADConditionalAccessPolicy]CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime::[EntraID]EntraID_Configuration] Set-Targetresource: Finished processing Policy CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime
VERBOSE: [fv-az520-935]: LCM: [ End Set ] [[AADConditionalAccessPolicy]CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime::[EntraID]EntraID_Configuration] in 1.0010 seconds.
VERBOSE: [fv-az520-935]: LCM: [ End Resource ] [[AADConditionalAccessPolicy]CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime::[EntraID]EntraID_Configuration]
Microsoft 365 DSC Version
1.24.522.1
Which workloads are affected
Azure Active Directory (Entra ID)
The DSC configuration
AADConditionalAccessPolicy "AADConditionalAccessPolicy-CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime"
{
AuthenticationContexts = @();
AuthenticationStrength = "Multifactor authentication";
BuiltInControls = @("passwordChange");
ClientAppTypes = @("all");
CloudAppSecurityType = "";
Credential = $Credscredential;
CustomAuthenticationFactors = @();
DeviceFilterRule = "";
DisplayName = "CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime";
Ensure = "Present";
ExcludeApplications = @();
ExcludeExternalTenantsMembers = @();
ExcludeExternalTenantsMembershipKind = "all";
ExcludeGroups = @("GPAZ-AzureAD-MFA-Bypass");
ExcludeGuestOrExternalUserTypes = @("b2bCollaborationGuest");
ExcludeLocations = @();
ExcludePlatforms = @();
ExcludeRoles = @();
ExcludeUsers = @();
GrantControlOperator = "AND";
Id = "";
IncludeApplications = @("All");
IncludeExternalTenantsMembers = @();
IncludeExternalTenantsMembershipKind = "";
IncludeGroups = @();
IncludeLocations = @();
IncludePlatforms = @();
IncludeRoles = @();
IncludeUserActions = @();
IncludeUsers = @("All");
PersistentBrowserMode = "";
SignInFrequencyInterval = "everyTime";
SignInFrequencyIsEnabled = $True;
SignInFrequencyType = "";
SignInRiskLevels = @();
State = "disabled";
TransferMethods = "";
UserRiskLevels = @("high");
}
AADConditionalAccessPolicy "AADConditionalAccessPolicy-CAP105-Internals-AuthenticationContext-NoCondition-CompliantAndCommonCriteriaRestricted"
{
AuthenticationContexts = @("Common Criteria Restricted");
BuiltInControls = @("compliantDevice");
ClientAppTypes = @("all");
CloudAppSecurityType = "";
Credential = $Credscredential;
CustomAuthenticationFactors = @();
DeviceFilterRule = "";
DisplayName = "CAP105-Internals-AuthenticationContext-NoCondition-CompliantAndCommonCriteriaRestricted";
Ensure = "Present";
ExcludeApplications = @();
ExcludeExternalTenantsMembers = @();
ExcludeExternalTenantsMembershipKind = "all";
ExcludeGroups = @();
ExcludeGuestOrExternalUserTypes = @("internalGuest","b2bCollaborationGuest","b2bCollaborationMember","b2bDirectConnectUser","otherExternalUser","serviceProvider");
ExcludeLocations = @();
ExcludePlatforms = @();
ExcludeRoles = @();
ExcludeUsers = @();
GrantControlOperator = "AND";
Id = "39d6eb05-91c5-460e-a4d5-c7e3765bd2db";
IncludeApplications = @();
IncludeExternalTenantsMembers = @();
IncludeExternalTenantsMembershipKind = "";
IncludeGroups = @();
IncludeLocations = @();
IncludePlatforms = @();
IncludeRoles = @();
IncludeUserActions = @();
IncludeUsers = @("All");
PersistentBrowserMode = "";
SignInFrequencyType = "";
SignInRiskLevels = @();
State = "disabled";
TermsOfUse = "Common Criteria Restricted";
TransferMethods = "";
UserRiskLevels = @();
}
AADConditionalAccessPolicy "AADConditionalAccessPolicy-CAP106-Externals-AuthenticationContext-NoCondition-CommonCriteriaRestricted"
{
AuthenticationContexts = @("Common Criteria Restricted");
BuiltInControls = @("compliantDevice");
ClientAppTypes = @("all");
CloudAppSecurityType = "";
Credential = $Credscredential;
CustomAuthenticationFactors = @();
DeviceFilterRule = "";
DisplayName = "CAP106-Externals-AuthenticationContext-NoCondition-CommonCriteriaRestricted";
Ensure = "Present";
ExcludeApplications = @();
ExcludeExternalTenantsMembers = @();
ExcludeExternalTenantsMembershipKind = "";
ExcludeGroups = @();
ExcludeLocations = @();
ExcludePlatforms = @();
ExcludeRoles = @();
ExcludeUsers = @();
GrantControlOperator = "OR";
Id = "40c885e0-27de-467d-a720-877f7f7f2d6d";
IncludeApplications = @();
IncludeExternalTenantsMembers = @();
IncludeExternalTenantsMembershipKind = "all";
IncludeGroups = @();
IncludeGuestOrExternalUserTypes = @("internalGuest","b2bCollaborationGuest","b2bCollaborationMember","b2bDirectConnectUser","otherExternalUser","serviceProvider");
IncludeLocations = @();
IncludePlatforms = @();
IncludeRoles = @();
IncludeUserActions = @();
IncludeUsers = @();
PersistentBrowserMode = "";
SignInFrequencyType = "";
SignInRiskLevels = @();
State = "disabled";
TermsOfUse = "Common Criteria Restricted";
TransferMethods = "";
UserRiskLevels = @();
}
Verbose logs showing the problem
Updating existing policy with values: ConditionalAccessPolicyId=8ef2790f-bd61-420e-a63a-7696463ba906 conditions={applications={excludeApplications=() includeApplications=(All)} clientAppTypes=(all) platforms=$null signInRiskLevels=() userRiskLevels=(high) users={excludeGroups=(4d724a52-9dd2-4a2e-aa66-da1c54ee56ae) excludeGuestsOrExternalUsers={externalTenants={@odata.type=#microsoft.graph.conditionalAccessAllExternalTenants membershipKind=all} guestOrExternalUserTypes=b2bCollaborationGuest} excludeRoles=() excludeUsers=() includeGroups=() includeGuestsOrExternalUsers=$null includeRoles=() includeUsers=(All)}} displayName=CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime grantControls={authenticationStrength={@odata.type=#microsoft.graph.authenticationStrengthPolicy id=00000000-0000-0000-0000-000000000002} builtInControls=(passwordChange) operator=AND} sessionControls={applicationEnforcedRestrictions={} signInFrequency={frequencyInterval=everyTime isEnabled=True}} state=disabled VERBOSE: [WINAA5CG0368CWW]: [[AADConditionalAccessPolicy]CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime::[EntraID]EntraID_Configuration] PATCH https://graph.microsoft.com/beta/identity/conditionalAccess/policies/8ef2790f-bd61-420e-a63a-7696463ba906 with 1076-byte payload VERBOSE: [WINAA5CG0368CWW]: [[AADConditionalAccessPolicy]CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime::[EntraID]EntraID_Configuration] received 606-byte response of content type application/json VERBOSE: [WINAA5CG0368CWW]: [[AADConditionalAccessPolicy]CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime::[EntraID]EntraID_Configuration] Set-Targetresource: Failed change policy CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime VERBOSE: [WINAA5CG0368CWW]: [[AADConditionalAccessPolicy]CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime::[EntraID]EntraID_Configuration]
Set-Targetresource: Finished processing Policy CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime
VERBOSE: [WINAA5CG0368CWW]: LCM: [ End Set ] [[AADConditionalAccessPolicy]CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime::[EntraID]EntraID_Configuration] in
2.1450 seconds.
VERBOSE: [WINAA5CG0368CWW]: LCM: [ End Resource ] [[AADConditionalAccessPolicy]CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime::[EntraID]EntraID_Configuration]
Environment Information + PowerShell Version
No response
Both logs show that the deployment fails, do you have a log of one that succeeds?
Sorry for that. I corrected the log.
hello,
I am facing the same issue.
Moreover, in the eventlog, you may see the below error
Error creating new policy:
{ Response status code does not indicate success: BadRequest (Bad Request). } \ at Set-TargetResource, C:\Program Files\WindowsPowerShell\Modules\Microsoft365dsc\1.24.522.1\DscResources\MSFT_AADConditionalAccessPolicy\MSFT_AADConditionalAccessPolicy.psm1: line 1682
I have one computer with module Microsoft365dsc version 1.24.522.1. I have update the Microsoft365dsc recently.
And I have another computer on which I did not updated recently and it is using module version 1.24.228.1.
With version 1.24.228.1, everything is working fine for EntraID ConditionAccess, I can created and update conditionalAccess from MOF file without error.
But with version 1.24.522.1, creation and update of conditionalAccess does not work anymore.
The DSC agent verbose log does not output any error, it seems that everything is working fine. But when checking the conditionalAccess M365 console, nothing changed. And looking at eventlog, there is this error "BadRequest".
It seems that since update of Microsoft365DSC, some functionality for conditionalaccess are not working anymore.
Moreover, I can see that new export have new option for "TransferMethods" in conditionaccess settings.
Does any one manage to create and update conditionalAccess object with version 1.24.522.1 ?
Regards
hello,
One update from my end if this can help.
M365DSC deployment is successfull by removing from the MOF file, the line corresponding:
TransferMethods = "";
The M365DSC team has switched from "Update-MgBetaIdentityConditionalAccessPolicy" to Invoke-MgGraphRequest.
There maybe some fine tuning to do with this new property TransferMethods on $newparameters variable.
Great job to the team by the way.
Regards