Assert-M365DSCBlueprint Not Reporting Missing Included Roles
Alexprosp247 opened this issue · 1 comments
Alexprosp247 commented
Description of the issue
I have a blueprint which requires certain administrative roles to be included in a conditional access policy. However when I test this by removing one of the roles from the conditional access policy in Entra ID, the blueprint report does not flag the missing role. In this example I removed the Global Administrator and Conditional Access administrator but this isn't flagged in the report.
Microsoft 365 DSC Version
1.24.612.1
Which workloads are affected
Azure Active Directory (Entra ID)
The DSC configuration
AADConditionalAccessPolicy "AADConditionalAccessPolicy-Microsoft-managed: Multifactor authentication for admins accessing Microsoft Admin Portals"
{
AuthenticationContexts = @();
BuiltInControls = @("mfa");
ClientAppTypes = @("all");
CloudAppSecurityType = "";
Credential = $Credscredential;
CustomAuthenticationFactors = @();
DeviceFilterRule = "";
DisplayName = "Microsoft-managed: Multifactor authentication for admins accessing Microsoft Admin Portals";
Ensure = "Present";
ExcludeApplications = @();
ExcludeExternalTenantsMembers = @();
ExcludeExternalTenantsMembershipKind = "";
ExcludeGroups = @();
ExcludeLocations = @();
ExcludePlatforms = @();
ExcludeRoles = @();
ExcludeUsers = @();
GrantControlOperator = "OR";
Id = "bd7bc54d-fd64-4c03-a5a1-d59cc91ac59f";
IncludeApplications = @("MicrosoftAdminPortals"); ### L1| Admin Portal application should be included
IncludeExternalTenantsMembers = @();
IncludeExternalTenantsMembershipKind = "";
IncludeGroups = @();
IncludeLocations = @();
IncludePlatforms = @();
IncludeRoles = @("Global Administrator","Security Administrator","SharePoint Administrator","Exchange Administrator","Conditional Access Administrator","Helpdesk Administrator","Billing Administrator","User Administrator","Authentication Administrator","Application Administrator","Cloud Application Administrator","Password Administrator","Privileged Authentication Administrator","Privileged Role Administrator"); ### L1| These roles should require MFA for accessing admin portals
IncludeUserActions = @();
IncludeUsers = @();
PersistentBrowserMode = "";
SignInFrequencyType = "";
SignInRiskLevels = @();
State = "enabled";
UserRiskLevels = @();
}
Verbose logs showing the problem
No response
Environment Information + PowerShell Version
No response
Alexprosp247 commented
Oversight on my part. Because this was a microsoft managed CA policy. I created a copy of it in Entra ID to modify and forgot to update the blueprint to have "COPY" at the end of the name.