Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AADConditionalAccessPolicy: Add support for Authentication Flows #4472

Open
techthoughts2 opened this issue Mar 20, 2024 · 0 comments
Open

AADConditionalAccessPolicy: Add support for Authentication Flows #4472

techthoughts2 opened this issue Mar 20, 2024 · 0 comments
Labels
Enhancement New feature or request Entra ID

Comments

@techthoughts2
Copy link

Description of the issue

AADConditionalAccessPolicy does not currently support Conditional Access (CA) policy settings related to Authentication flows:

  • Device Code Flow
  • Authentication transfer

See attached photo for corresponding portal based settings:

image

While this CA policy can be successfully created in the Portal, an export of the policy does not reflect any of the settings related to Authentication flow settings.

See attached export of the resource for details.

Enhancement request:
Add support to the AADConditionalAccessPolicy resource for adjusting the Device Code Flow and Authentication transfer settings.

Microsoft 365 DSC Version

v1.24.313.1

Which workloads are affected

Azure Active Directory

The DSC configuration

AADConditionalAccessPolicy "AADConditionalAccessPolicy-Block MS Device code flow"
{
    ApplicationId                        = $ConfigurationData.NonNodeData.ApplicationId;
    AuthenticationContexts               = @();
    BuiltInControls                      = @("block");
    CertificateThumbprint                = $ConfigurationData.NonNodeData.CertificateThumbprint;
    ClientAppTypes                       = @("all");
    CloudAppSecurityType                 = "";
    CustomAuthenticationFactors          = @();
    DeviceFilterRule                     = "";
    DisplayName                          = "Block MS Device code flow";
    Ensure                               = "Present";
    ExcludeApplications                  = @();
    ExcludeExternalTenantsMembers        = @();
    ExcludeExternalTenantsMembershipKind = "";
    ExcludeGroups                        = @();
    ExcludeLocations                     = @();
    ExcludePlatforms                     = @();
    ExcludeRoles                         = @();
    ExcludeUsers                         = @("");
    GrantControlOperator                 = "OR";
    Id                                   = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx";
    IncludeApplications                  = @("All");
    IncludeExternalTenantsMembers        = @();
    IncludeExternalTenantsMembershipKind = "";
    IncludeGroups                        = @();
    IncludeLocations                     = @();
    IncludePlatforms                     = @();
    IncludeRoles                         = @();
    IncludeUserActions                   = @();
    IncludeUsers                         = @("All");
    PersistentBrowserMode                = "";
    SignInFrequencyType                  = "";
    SignInRiskLevels                     = @();
    State                                = "enabled";
    TenantId                             = $OrganizationName;
    UserRiskLevels                       = @();
}

Verbose logs showing the problem

N/A

Environment Information + PowerShell Version

No response
@andikrueger andikrueger added Enhancement New feature or request Entra ID labels Mar 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Enhancement New feature or request Entra ID
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@techthoughts2 @andikrueger