AADConditionalAccessPolicy risk of tenant lock-out

[bartvermeersch]

When creating a conditional access policy with a block action, it will typically contain exclude* clauses (eg ExcludeLocations, ExcludeUsers...).

When this policy is created using DSC and the exclude* objects are not found (because they were manually renamed/deleted, or are to be created later on in the DSC), the policy is created without these exclusions. The exclusion objects are skipped, but the policy is created/modified anyhow.

This could lead to tenant lock-out.

So my question: is it a design decision that a DSC resource is applied even if some attributes were failing or is this a bug?

[bartvermeersch]

I did found some exception throwing for most exclude* objects which will probably bail out of the action if I'm correct?

                        $userguid = $null
                        try
                        {
                            $userguid = (Get-MgUser -UserId $excludeuser -ErrorAction Stop).Id
                        }
                        catch
                        {
                            New-M365DSCLogEntry -Message 'Error updating data:' `
                                -Exception $_ `
                                -Source $($MyInvocation.MyCommand.Source) `
                                -TenantId $TenantId `
                                -Credential $Credential
                            throw $_
                        }
                        if ($null -eq $userguid)
                        {
                            $message = "Couldn't find user '$excludeuser', couldn't add to policy '$DisplayName'"
                            New-M365DSCLogEntry -Message $message `
                                -Source $($MyInvocation.MyCommand.Source) `
                                -TenantId $TenantId `
                                -Credential $Credential
                            throw $message
                        }
                        else
                        {
                            $conditions.users.excludeUsers += $userguid
                        }
                    }

But it is missing for locations (and possibly some other attributes).