Assert-M365DSCBlueprint Not Reporting Missing Included Roles

Question

Assert-M365DSCBlueprint Not Reporting Missing Included Roles

Alexprosp247 opened this issue 23 days ago · 1 comments

Description of the issue

I have a blueprint which requires certain administrative roles to be included in a conditional access policy. However when I test this by removing one of the roles from the conditional access policy in Entra ID, the blueprint report does not flag the missing role. In this example I removed the Global Administrator and Conditional Access administrator but this isn't flagged in the report.

Microsoft 365 DSC Version

1.24.612.1

Which workloads are affected

Azure Active Directory (Entra ID)

The DSC configuration

AADConditionalAccessPolicy "AADConditionalAccessPolicy-Microsoft-managed: Multifactor authentication for admins accessing Microsoft Admin Portals"
        {
            AuthenticationContexts               = @();
            BuiltInControls                      = @("mfa");
            ClientAppTypes                       = @("all");
            CloudAppSecurityType                 = "";
            Credential                           = $Credscredential;
            CustomAuthenticationFactors          = @();
            DeviceFilterRule                     = "";
            DisplayName                          = "Microsoft-managed: Multifactor authentication for admins accessing Microsoft Admin Portals";
            Ensure                               = "Present";
            ExcludeApplications                  = @();
            ExcludeExternalTenantsMembers        = @();
            ExcludeExternalTenantsMembershipKind = "";
            ExcludeGroups                        = @();
            ExcludeLocations                     = @();
            ExcludePlatforms                     = @();
            ExcludeRoles                         = @();
            ExcludeUsers                         = @();
            GrantControlOperator                 = "OR";
            Id                                   = "bd7bc54d-fd64-4c03-a5a1-d59cc91ac59f";
            IncludeApplications                  = @("MicrosoftAdminPortals"); ### L1| Admin Portal application should be included
            IncludeExternalTenantsMembers        = @();
            IncludeExternalTenantsMembershipKind = "";
            IncludeGroups                        = @();
            IncludeLocations                     = @();
            IncludePlatforms                     = @();
            IncludeRoles                         = @("Global Administrator","Security Administrator","SharePoint Administrator","Exchange Administrator","Conditional Access Administrator","Helpdesk Administrator","Billing Administrator","User Administrator","Authentication Administrator","Application Administrator","Cloud Application Administrator","Password Administrator","Privileged Authentication Administrator","Privileged Role Administrator"); ### L1| These roles should require MFA for accessing admin portals
            IncludeUserActions                   = @();
            IncludeUsers                         = @();
            PersistentBrowserMode                = "";
            SignInFrequencyType                  = "";
            SignInRiskLevels                     = @();
            State                                = "enabled"; 
            UserRiskLevels                       = @();
        }

Verbose logs showing the problem

No response

Environment Information + PowerShell Version

No response

Answer 1 · 2024-06-13T12:26:50.000Z

Oversight on my part. Because this was a microsoft managed CA policy. I created a copy of it in Entra ID to modify and forgot to update the blueprint to have "COPY" at the end of the name.