Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AADConditionalAccessPolicy: deployment bug since version 1.24.522.1. It's working with 1.24.515.2 #4725

Open
gibi916 opened this issue May 31, 2024 · 5 comments
Open

AADConditionalAccessPolicy: deployment bug since version 1.24.522.1. It's working with 1.24.515.2 #4725

gibi916 opened this issue May 31, 2024 · 5 comments
Labels
Bug Something isn't working Entra ID V1.24.515.2 Version 1.24.515.2

Comments

@gibi916
Copy link

gibi916 commented May 31, 2024
edited
Loading

Description of the issue

I'm not able to use the latest version 1.24.522.1 because I have a deployment bug that I don't have with 1.24.515.2. This only concerns a few conditional access policies with specific configuration. The error I get is :

Set-Targetresource: Failed change policy CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime

If I delete the policy I get the same kind of message but with failed to create policy message.
Without changing anything else except the DSC module version, I have a different result.
I noticed that with module 1.24.522.1 I have an additional property that appears in the verbose log, which is not set with the 1.24.515.2 module. It's this one: includeGuestsOrExternalUsers=$null

Here the log when it's successfully deployed with module 1.24.515.2

Updating existing policy with values: ConditionalAccessPolicyId=8ef2790f-bd61-420e-a63a-7696463ba906
Conditions={Applications={ExcludeApplications=()
IncludeApplications=(All)}
ClientAppTypes=(all)
Platforms=$null
SignInRiskLevels=()
UserRiskLevels=(high)
Users={ExcludeGroups=(4d724a52-9dd2-4a2e-aa66-da1c54ee56ae)
excludeGuestsOrExternalUsers={externalTenants={@odata.type=#microsoft.graph.conditionalAccessAllExternalTenants
membershipKind=all}
guestOrExternalUserTypes=b2bCollaborationGuest}
ExcludeRoles=()
ExcludeUsers=()
IncludeGroups=()
IncludeRoles=()
IncludeUsers=(All)}}
DisplayName=CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime
GrantControls={authenticationStrength={@odata.type=#microsoft.graph.authenticationStrengthPolicy
id=00000000-0000-0000-0000-000000000002}
BuiltInControls=(passwordChange)
Operator=AND}
SessionControls={ApplicationEnforcedRestrictions={}
SignInFrequency={frequencyInterval=everyTime
isEnabled=True}}
State=disabled
VERBOSE: [fv-az631-198]:                            [[AADConditionalAccessPolicy]CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime::[EntraID]EntraID_Configuration] Set Targetresource: Finished processing Policy CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime
VERBOSE: [fv-az631-198]: LCM:  [ End    Set      ]  [[AADConditionalAccessPolicy]CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime::[EntraID]EntraID_Configuration]  in 2.0160 seconds.
VERBOSE: [fv-az631-198]: LCM:  [ End    Resource ]  [[AADConditionalAccessPolicy]CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime::[EntraID]EntraID_Configuration]

And the log when it failed with module 1.24.522.1 :

Updating existing policy with values: ConditionalAccessPolicyId=8ef2790f-bd61-420e-a63a-7696463ba906
conditions={applications={excludeApplications=()
includeApplications=(All)}
clientAppTypes=(all)
platforms=$null
signInRiskLevels=()
userRiskLevels=(high)
users={excludeGroups=(4d724a52-9dd2-4a2e-aa66-da1c54ee56ae)
excludeGuestsOrExternalUsers={externalTenants={@odata.type=#microsoft.graph.conditionalAccessAllExternalTenants
membershipKind=all}
guestOrExternalUserTypes=b2bCollaborationGuest}
excludeRoles=()
includeGroups=()
includeGuestsOrExternalUsers=$null
includeRoles=()
includeUsers=(All)}}
displayName=CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime
grantControls={authenticationStrength={@odata.type=#microsoft.graph.authenticationStrengthPolicy
id=00000000-0000-0000-0000-000000000002}
builtInControls=(passwordChange)
operator=AND}
sessionControls={applicationEnforcedRestrictions={}
signInFrequency={frequencyInterval=everyTime
isEnabled=True}}
state=disabled
VERBOSE: [fv-az520-935]:                            [[AADConditionalAccessPolicy]CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime::[EntraID]EntraID_Configuration] PATCH https://graph.microsoft.com/beta/identity/conditionalAccess/policies/8ef2790f-bd61-420e-a63a-7696463ba906 with 1076-byte payload
VERBOSE: [fv-az520-935]:                            [[AADConditionalAccessPolicy]CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime::[EntraID]EntraID_Configuration] received 606-byte response of content type application/json
VERBOSE: [fv-az520-935]:                            [[AADConditionalAccessPolicy]CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime::[EntraID]EntraID_Configuration] Set-Targetresource: Failed change policy 
CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime
VERBOSE: [fv-az520-935]:                            [[AADConditionalAccessPolicy]CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime::[EntraID]EntraID_Configuration] Set-Targetresource: Finished processing Policy CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime
VERBOSE: [fv-az520-935]: LCM:  [ End    Set      ]  [[AADConditionalAccessPolicy]CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime::[EntraID]EntraID_Configuration]  in 1.0010 seconds.
VERBOSE: [fv-az520-935]: LCM:  [ End    Resource ]  [[AADConditionalAccessPolicy]CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime::[EntraID]EntraID_Configuration]

Microsoft 365 DSC Version

1.24.522.1

Which workloads are affected

Azure Active Directory (Entra ID)

The DSC configuration

AADConditionalAccessPolicy "AADConditionalAccessPolicy-CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime"
        {
            AuthenticationContexts               = @();
            AuthenticationStrength               = "Multifactor authentication";
            BuiltInControls                      = @("passwordChange");
            ClientAppTypes                       = @("all");
            CloudAppSecurityType                 = "";
            Credential                           = $Credscredential;
            CustomAuthenticationFactors          = @();
            DeviceFilterRule                     = "";
            DisplayName                          = "CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime";
            Ensure                               = "Present";
            ExcludeApplications                  = @();
            ExcludeExternalTenantsMembers        = @();
            ExcludeExternalTenantsMembershipKind = "all";
            ExcludeGroups                        = @("GPAZ-AzureAD-MFA-Bypass");
            ExcludeGuestOrExternalUserTypes      = @("b2bCollaborationGuest");
            ExcludeLocations                     = @();
            ExcludePlatforms                     = @();
            ExcludeRoles                         = @();
            ExcludeUsers                         = @();
            GrantControlOperator                 = "AND";
            Id                                   = "";
            IncludeApplications                  = @("All");
            IncludeExternalTenantsMembers        = @();
            IncludeExternalTenantsMembershipKind = "";
            IncludeGroups                        = @();
            IncludeLocations                     = @();
            IncludePlatforms                     = @();
            IncludeRoles                         = @();
            IncludeUserActions                   = @();
            IncludeUsers                         = @("All");
            PersistentBrowserMode                = "";
            SignInFrequencyInterval              = "everyTime";
            SignInFrequencyIsEnabled             = $True;
            SignInFrequencyType                  = "";
            SignInRiskLevels                     = @();
            State                                = "disabled";
            TransferMethods                      = "";
            UserRiskLevels                       = @("high");
        }
AADConditionalAccessPolicy "AADConditionalAccessPolicy-CAP105-Internals-AuthenticationContext-NoCondition-CompliantAndCommonCriteriaRestricted"
        {
            AuthenticationContexts               = @("Common Criteria Restricted");
            BuiltInControls                      = @("compliantDevice");
            ClientAppTypes                       = @("all");
            CloudAppSecurityType                 = "";
            Credential                           = $Credscredential;
            CustomAuthenticationFactors          = @();
            DeviceFilterRule                     = "";
            DisplayName                          = "CAP105-Internals-AuthenticationContext-NoCondition-CompliantAndCommonCriteriaRestricted";
            Ensure                               = "Present";
            ExcludeApplications                  = @();
            ExcludeExternalTenantsMembers        = @();
            ExcludeExternalTenantsMembershipKind = "all";
            ExcludeGroups                        = @();
            ExcludeGuestOrExternalUserTypes      = @("internalGuest","b2bCollaborationGuest","b2bCollaborationMember","b2bDirectConnectUser","otherExternalUser","serviceProvider");
            ExcludeLocations                     = @();
            ExcludePlatforms                     = @();
            ExcludeRoles                         = @();
            ExcludeUsers                         = @();
            GrantControlOperator                 = "AND";
            Id                                   = "39d6eb05-91c5-460e-a4d5-c7e3765bd2db";
            IncludeApplications                  = @();
            IncludeExternalTenantsMembers        = @();
            IncludeExternalTenantsMembershipKind = "";
            IncludeGroups                        = @();
            IncludeLocations                     = @();
            IncludePlatforms                     = @();
            IncludeRoles                         = @();
            IncludeUserActions                   = @();
            IncludeUsers                         = @("All");
            PersistentBrowserMode                = "";
            SignInFrequencyType                  = "";
            SignInRiskLevels                     = @();
            State                                = "disabled";
            TermsOfUse                           = "Common Criteria Restricted";
            TransferMethods                      = "";
            UserRiskLevels                       = @();
        }
        AADConditionalAccessPolicy "AADConditionalAccessPolicy-CAP106-Externals-AuthenticationContext-NoCondition-CommonCriteriaRestricted"
        {
            AuthenticationContexts               = @("Common Criteria Restricted");
            BuiltInControls                      = @("compliantDevice");
            ClientAppTypes                       = @("all");
            CloudAppSecurityType                 = "";
            Credential                           = $Credscredential;
            CustomAuthenticationFactors          = @();
            DeviceFilterRule                     = "";
            DisplayName                          = "CAP106-Externals-AuthenticationContext-NoCondition-CommonCriteriaRestricted";
            Ensure                               = "Present";
            ExcludeApplications                  = @();
            ExcludeExternalTenantsMembers        = @();
            ExcludeExternalTenantsMembershipKind = "";
            ExcludeGroups                        = @();
            ExcludeLocations                     = @();
            ExcludePlatforms                     = @();
            ExcludeRoles                         = @();
            ExcludeUsers                         = @();
            GrantControlOperator                 = "OR";
            Id                                   = "40c885e0-27de-467d-a720-877f7f7f2d6d";
            IncludeApplications                  = @();
            IncludeExternalTenantsMembers        = @();
            IncludeExternalTenantsMembershipKind = "all";
            IncludeGroups                        = @();
            IncludeGuestOrExternalUserTypes      = @("internalGuest","b2bCollaborationGuest","b2bCollaborationMember","b2bDirectConnectUser","otherExternalUser","serviceProvider");
            IncludeLocations                     = @();
            IncludePlatforms                     = @();
            IncludeRoles                         = @();
            IncludeUserActions                   = @();
            IncludeUsers                         = @();
            PersistentBrowserMode                = "";
            SignInFrequencyType                  = "";
            SignInRiskLevels                     = @();
            State                                = "disabled";
            TermsOfUse                           = "Common Criteria Restricted";
            TransferMethods                      = "";
            UserRiskLevels                       = @();
        }

Verbose logs showing the problem

Updating existing policy with values: ConditionalAccessPolicyId=8ef2790f-bd61-420e-a63a-7696463ba906                                                                                              conditions={applications={excludeApplications=()                                                                                                                                                  includeApplications=(All)}                                                                                                                                                                        clientAppTypes=(all)                                                                                                                                                                              platforms=$null                                                                                                                                                                                   signInRiskLevels=()                                                                                                                                                                               userRiskLevels=(high)                                                                                                                                                                             users={excludeGroups=(4d724a52-9dd2-4a2e-aa66-da1c54ee56ae)                                                                                                                                       excludeGuestsOrExternalUsers={externalTenants={@odata.type=#microsoft.graph.conditionalAccessAllExternalTenants                                                                                   membershipKind=all}                                                                                                                                                                               guestOrExternalUserTypes=b2bCollaborationGuest}                                                                                                                                                   excludeRoles=()                                                                                                                                                                                   excludeUsers=()                                                                                                                                                                                   includeGroups=()                                                                                                                                                                                  includeGuestsOrExternalUsers=$null                                                                                                                                                                includeRoles=()                                                                                                                                                                                   includeUsers=(All)}}                                                                                                                                                                              displayName=CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime                                                                                                                 grantControls={authenticationStrength={@odata.type=#microsoft.graph.authenticationStrengthPolicy                                                                                                  id=00000000-0000-0000-0000-000000000002}                                                                                                                                                          builtInControls=(passwordChange)                                                                                                                                                                  operator=AND}                                                                                                                                                                                     sessionControls={applicationEnforcedRestrictions={}                                                                                                                                               signInFrequency={frequencyInterval=everyTime                                                                                                                                                      isEnabled=True}}                                                                                                                                                                                  state=disabled                                                                                                                                                                                    VERBOSE: [WINAA5CG0368CWW]:                            [[AADConditionalAccessPolicy]CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime::[EntraID]EntraID_Configuration] PATCH  https://graph.microsoft.com/beta/identity/conditionalAccess/policies/8ef2790f-bd61-420e-a63a-7696463ba906 with 1076-byte payload                                                                  VERBOSE: [WINAA5CG0368CWW]:                            [[AADConditionalAccessPolicy]CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime::[EntraID]EntraID_Configuration]        received 606-byte response of content type application/json                                                                                                                                       VERBOSE: [WINAA5CG0368CWW]:                            [[AADConditionalAccessPolicy]CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime::[EntraID]EntraID_Configuration]        Set-Targetresource: Failed change policy CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime                                                                                    VERBOSE: [WINAA5CG0368CWW]:                            [[AADConditionalAccessPolicy]CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime::[EntraID]EntraID_Configuration]
Set-Targetresource: Finished processing Policy CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime
VERBOSE: [WINAA5CG0368CWW]: LCM:  [ End    Set      ]  [[AADConditionalAccessPolicy]CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime::[EntraID]EntraID_Configuration]  in
2.1450 seconds.
VERBOSE: [WINAA5CG0368CWW]: LCM:  [ End    Resource ]  [[AADConditionalAccessPolicy]CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime::[EntraID]EntraID_Configuration]

Environment Information + PowerShell Version

No response
@ricmestre
Copy link
Contributor

Both logs show that the deployment fails, do you have a log of one that succeeds?

@gibi916
Copy link
Author

gibi916 commented May 31, 2024

Sorry for that. I corrected the log.

@ricmestre ricmestre mentioned this issue Jun 6, 2024
Open
@vinam779
Copy link

vinam779 commented Jun 7, 2024

hello,
I am facing the same issue.

Moreover, in the eventlog, you may see the below error
Error creating new policy:
{ Response status code does not indicate success: BadRequest (Bad Request). } \ at Set-TargetResource, C:\Program Files\WindowsPowerShell\Modules\Microsoft365dsc\1.24.522.1\DscResources\MSFT_AADConditionalAccessPolicy\MSFT_AADConditionalAccessPolicy.psm1: line 1682

I have one computer with module Microsoft365dsc version 1.24.522.1. I have update the Microsoft365dsc recently.
And I have another computer on which I did not updated recently and it is using module version 1.24.228.1.
With version 1.24.228.1, everything is working fine for EntraID ConditionAccess, I can created and update conditionalAccess from MOF file without error.
But with version 1.24.522.1, creation and update of conditionalAccess does not work anymore.
The DSC agent verbose log does not output any error, it seems that everything is working fine. But when checking the conditionalAccess M365 console, nothing changed. And looking at eventlog, there is this error "BadRequest".
It seems that since update of Microsoft365DSC, some functionality for conditionalaccess are not working anymore.

Moreover, I can see that new export have new option for "TransferMethods" in conditionaccess settings.

Does any one manage to create and update conditionalAccess object with version 1.24.522.1 ?
Regards

@vinam779
Copy link

vinam779 commented Jun 7, 2024

hello,
One update from my end if this can help.
M365DSC deployment is successfull by removing from the MOF file, the line corresponding:
TransferMethods = "";

The M365DSC team has switched from "Update-MgBetaIdentityConditionalAccessPolicy" to Invoke-MgGraphRequest.
There maybe some fine tuning to do with this new property TransferMethods on $newparameters variable.
Great job to the team by the way.
Regards

@andikrueger andikrueger added Bug Something isn't working Entra ID V1.24.515.2 Version 1.24.515.2 labels Jun 18, 2024
@Raimer1988
Copy link

I am experiencing the same issue as @vinam779

I was also able to fix the issue by removing the "Transfermethods" property. I removed it from the export .ps1 file, before generating the .mof file.

Thank you @vinam779 for sharing the fix 😊

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Something isn't working Entra ID V1.24.515.2 Version 1.24.515.2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@andikrueger @Raimer1988 @gibi916 @ricmestre @vinam779