Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AADConditionalAccessPolicy: ExcludeApplications are not enforced #3885

Closed
mibarm opened this issue Nov 13, 2023 · 0 comments · Fixed by #3953 or #4139
Closed

AADConditionalAccessPolicy: ExcludeApplications are not enforced #3885

mibarm opened this issue Nov 13, 2023 · 0 comments · Fixed by #3953 or #4139
Labels
Bug Something isn't working Entra ID V1.23.1018.1 Version 1.23.1018.1

Comments

@mibarm
Copy link
Contributor

mibarm commented Nov 13, 2023

Description of the issue

When the list of ExcludeApplications is changed in the Tenant, DSC fails to overwrite the property with the configuration defined. The drift is recognized however nothing is changed.

Steps to reproduce:
In a Conditionla access policies add an excluded application to a policy using the Entra ID Portal. Then apply dsc config where the same policy exists without any excluded applications.
Result:
Drift is recognized but not corrected

Microsoft 365 DSC Version

1.23.1018.1

Which workloads are affected

Azure Active Directory

The DSC configuration

AADConditionalAccessPolicy 'CA_AllUsersMFA'
        {
            ApplicationEnforcedRestrictionsIsEnabled = $False;
            BuiltInControls                          = @("Mfa");
            ClientAppTypes                           = @("ExchangeActiveSync","Browser","MobileAppsAndDesktopClients","Other");
            CloudAppSecurityIsEnabled                = $False;
            CloudAppSecurityType                     = "";
            DisplayName                              = "CA_AllUsersMFA";
            Ensure                                   = "Present";
            ExcludeApplications                      = @();
            ExcludeGroups                            = $cd.NonNodeData.CAExcludeGroups;
            ExcludeLocations                         = @();
            ExcludePlatforms                         = @();
            ExcludeRoles                             = @();
            ExcludeUsers                             = $cd.NonNodeData.CAExcludeAccounts;
            GrantControlOperator                     = "OR";
            Id                                       = "c4cb8af5-48db-411a-870e-eeaf940bb537";
            IncludeApplications                      = @("All");
            IncludeGroups                            = @();
            IncludeLocations                         = @();
            IncludePlatforms                         = @();
            IncludeRoles                             = @();
            IncludeUserActions                       = @();
            IncludeUsers                             = @("All");
            PersistentBrowserIsEnabled               = $False;
            PersistentBrowserMode                    = "";
            SignInFrequencyIsEnabled                 = $False;
            SignInFrequencyType                      = "";
            SignInRiskLevels                         = @();
            State                                    = "enabled";
            UserRiskLevels                           = @();
            ApplicationId                            = $Cd.NonNodeData.ApplicationId;
            CertificateThumbprint                    = $Cd.NonNodeData.CertificateThumbprint;
            TenantId                                 = $TenantId;
            PsDscRunAsCredential                     = $PSDSCcred
        }

Verbose logs showing the problem

Its not reporing a problem..

Environment Information + PowerShell Version

No response
@andikrueger andikrueger added Bug Something isn't working Entra ID V1.23.1018.1 Version 1.23.1018.1 labels Nov 15, 2023
sandrola added a commit to swisscom/Microsoft365DSC that referenced this issue Nov 20, 2023
@sandrola
Always include 'ExcludeApplication' AADConditionalAccessPolicy: Exclu…
30755ce 
…deApplications are not enforced microsoft#3885
@sandrola sandrola mentioned this issue Nov 20, 2023
Closed
sandrola added a commit to swisscom/Microsoft365DSC that referenced this issue Nov 27, 2023
@sandrola
Merge branch 'microsoft:Dev' into fix/microsoft#3885-AADConditionalAc…
e0aabe2 
…cessPolicy
sandrola added a commit to swisscom/Microsoft365DSC that referenced this issue Nov 28, 2023
@sandrola
Merge branch 'fix/microsoft#3885-AADConditionalAccessPolicy' of https…
a402fa1 
…://github.com/swisscom/Microsoft365DSC into fix/microsoft#3885-AADConditionalAccessPolicy
@sandrola sandrola mentioned this issue Nov 28, 2023
Merged
sandrola added a commit to swisscom/Microsoft365DSC that referenced this issue Dec 21, 2023
@sandrola
Merge branch 'Dev' into fix/microsoft#3885-AADConditionalAccessPolicy
e65a194
sandrola added a commit to swisscom/Microsoft365DSC that referenced this issue Jan 3, 2024
@sandrola
Merge branch 'microsoft:Dev' into fix/microsoft#3885-AADConditionalAc…
4a6fed7 
…cessPolicy
sandrola added a commit to swisscom/Microsoft365DSC that referenced this issue Jan 8, 2024
@sandrola
Merge branch 'Dev' into fix/microsoft#3885-AADConditionalAccessPolicy
0b3b719
NikCharlebois added a commit that referenced this issue Jan 8, 2024
@NikCharlebois
Merge pull request #3953 from swisscom/fix/#3885-AADConditionalAccess…
0a48da8 
…Policy

Fix/#3885 aad conditional access policy
@NikCharlebois NikCharlebois mentioned this issue Jan 10, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Something isn't working Entra ID V1.23.1018.1 Version 1.23.1018.1
Projects
None yet
Milestone
No milestone
2 participants
@andikrueger @mibarm