terraform-provider-azuread icon indicating copy to clipboard operation
terraform-provider-azuread copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

user_risk_levels option error

Open Keith-EMP opened this issue 2 years ago • 1 comments

When creating a conditional access policy to only manage user_risk_levels it errors out. My policy is very simple (below). Error says 2 options are not allowed and I am not setting those. I even tried setting them as false, no difference. Setup is from microsoft example at https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-risk-policies. When setting the sign in frequency to "every time" the option below needs to be 0 and the frequency period should be empty but the provider forces us to use both options so I am just setting it to hours just to have it.

resource "azuread_conditional_access_policy" "CAPUserRisk_v1" {
  display_name = "CA_User Risk - v1"
  state        = "enabledForReportingButNotEnforced"

  conditions {
    client_app_types = ["all"]
    user_risk_levels = ["high"]

    applications {
      included_applications = ["All"]
    }

    users {
      included_users = ["All"]
    }
  }

  grant_controls {
    operator          = "AND"
    built_in_controls = ["mfa","passwordChange"]
  }
  session_controls {
    sign_in_frequency        = 0
    sign_in_frequency_period = "hours"
  }
}

Error is:
Error: Could not create conditional access policy
│ 
│   with azuread_conditional_access_policy.CAPUserRisk_v1,
│   on CAP-UserRisk_v1.tf line 5, in resource "azuread_conditional_access_policy" "CAPUserRisk_v1":
│    5: resource "azuread_conditional_access_policy" "CAPUserRisk_v1" {
│ 
│ ConditionalAccessPoliciesClient.BaseClient.Post(): unexpected status 400 with OData error: BadRequest: 1115: The specified session controls, 'applicationEnforcedRestrictions,
│ disableResilienceDefaults', are not supported with the password change control; only signInFrequency every time is supported. For examples, please see the API documentation at
│ https://docs.microsoft.com/en-us/graph/api/conditionalaccessroot-post-policies?view=graph-rest-1.0.

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

Affected Resource(s)

  • azuread_XXXXX

Terraform Configuration Files

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorp

Debug Output

Panic Output

Expected Behavior

Actual Behavior

Steps to Reproduce

  1. terraform apply

Important Factoids

References

  • #0000

Keith-EMP avatar Sep 25 '23 21:09 Keith-EMP

Hi @Keith-EMP, thanks for reporting your use case and this error. Unfortunately, the API has some long standing bugs around sessionControls which limits our options significantly, but I will have another look just in case maybe something got fixed, or there's perhaps some other way we can work around this.

manicminer avatar Sep 25 '23 22:09 manicminer