terraform-provider-azuread
terraform-provider-azuread copied to clipboard
hashicorp
Unexpected behaviour with session_controls
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Terraform (and AzureAD Provider) Version
Terraform: 1.6.2 AzureAD: 2.45.0
Affected Resource(s)
-
azuread_conditional_access_policy
Problem
In one of my CA policies, I am setting the application_enforced_restrictions_enabled to true. This is the only session control defined in this particular policy.
Today, I noticed that when performing a plan, the following session_controls are now "added":
- sign_in_frequency_authentication_type = "primaryAndSecondaryAuthentication"
- sign_in_frequency_interval = "timeBased"
Terraform plan output
Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
~ update in-place
Terraform will perform the following actions:
# azuread_conditional_access_policy.CA004 will be updated in-place
~ resource "azuread_conditional_access_policy" "CA004" {
id = "policyId"
# (2 unchanged attributes hidden)
~ session_controls {
+ sign_in_frequency_authentication_type = "primaryAndSecondaryAuthentication"
+ sign_in_frequency_interval = "timeBased"
# (3 unchanged attributes hidden)
}
# (1 unchanged block hidden)
}
Plan: 0 to add, 1 to change, 0 to destroy.
Expected Behavior
Expected behaviour is no change to the policy. I haven't defined these additional session controls in my terraform configuration.
Policy configuration
resource "azuread_conditional_access_policy" "CA004" {
display_name = "${var.tenant} - ${local.policy4.sequence_number} - ${local.policy4.personas_groups} - ${local.policy4.cloud_app_target} : ${local.policy4.response}"
state = "enabled"
conditions {
client_app_types = ["all"]
// sign_in_risk_levels = []
// user_risk_levels = []
applications {
// excluded_applications = []
included_applications = ["Office365"]
// included_user_actions = []
}
platforms {
// excluded_platforms = []
included_platforms = ["all"]
}
users {
excluded_groups = [var.group1]
// excluded_roles = []
// excluded_users = []
included_groups = [var.group2]
// included_roles = []
// included_users = []
}
}
session_controls {
application_enforced_restrictions_enabled = true
// cloud_app_security_policy = null
// persistent_browser_mode = null
// sign_in_frequency = 0
// sign_in_frequency_period = null
}
}
Actual Behavior
After performing an apply, the state file contains these new session_controls, but when looking at the the policy in the azure portal, it looks as I would expected. There's no visible change to the policy, but it is unclear at this stage what effect these additional session controls could be having on the policy.
@dankitch Thanks for reporting this. We added support for session controls in v2.45 under the assumption that these were defaulted in all CAPs - which we observed during testing.
Would you be able to post a copy of your policy as returned by the API, e.g. https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies/3aa40000-ac1d-0000-9534-aa9e00000000
If the policy has already been updated by v2.45, if you could possibly post a copy of a policy that hasn't yet been updated by this version that'd be really appreciated. Preferably an older policy, and maybe even created outside of Terraform initially if you have any that fit these criteria.
@manicminer Thanks the response. Here is a copy of the policy which has been provisioned using azuread v2.44.1:
v2.44.1
"id": "policyId",
"templateId": null,
"displayName": " TEST - LAB - CA004 - All Device Platforms - All Clients - Office 365 : Use App Enforced Restrictions",
"createdDateTime": "2023-10-30T16:11:01.9842414Z",
"modifiedDateTime": null,
"state": "enabled",
"grantControls": null,
"conditions": {
"userRiskLevels": [],
"signInRiskLevels": [],
"clientAppTypes": [
"all"
],
"servicePrincipalRiskLevels": [],
"locations": null,
"devices": null,
"clientApplications": null,
"applications": {
"includeApplications": [
"Office365"
],
"excludeApplications": [],
"includeUserActions": [],
"includeAuthenticationContextClassReferences": [],
"applicationFilter": null
},
"users": {
"includeUsers": [],
"excludeUsers": [],
"includeGroups": [
"dc8108db-266b-421d-9230-6fa6b428b0fb"
],
"excludeGroups": [
"11908e9b-e7b6-4a6d-8950-88810ac3870c",
"09946bda-a090-41ef-a2fc-0884a13d2cff",
"e58216ac-9dd8-47d8-bbd8-58497dc94a5d"
],
"includeRoles": [],
"excludeRoles": [],
"includeGuestsOrExternalUsers": null,
"excludeGuestsOrExternalUsers": null
},
"platforms": {
"includePlatforms": [
"all"
],
"excludePlatforms": []
}
},
"sessionControls": {
"disableResilienceDefaults": null,
"cloudAppSecurity": null,
"signInFrequency": null,
"persistentBrowser": null,
"applicationEnforcedRestrictions": {
"isEnabled": true
}
}
}
Here is a copy of the policy provisioned using azuread v2.45.0:
v2.45.0
"id": "policyId2",
"templateId": null,
"displayName": "LAB - CA004 - All Device Platforms - All Clients - Office 365 : Use App Enforced Restrictions",
"createdDateTime": "2023-10-30T16:21:03.2365066Z",
"modifiedDateTime": "2023-10-30T16:23:49.3009612Z",
"state": "enabled",
"grantControls": null,
"conditions": {
"userRiskLevels": [],
"signInRiskLevels": [],
"clientAppTypes": [
"all"
],
"servicePrincipalRiskLevels": [],
"locations": null,
"devices": null,
"clientApplications": null,
"applications": {
"includeApplications": [
"Office365"
],
"excludeApplications": [],
"includeUserActions": [],
"includeAuthenticationContextClassReferences": [],
"applicationFilter": null
},
"users": {
"includeUsers": [],
"excludeUsers": [],
"includeGroups": [
"dc8108db-266b-421d-9230-6fa6b428b0fb"
],
"excludeGroups": [
"11908e9b-e7b6-4a6d-8950-88810ac3870c",
"09946bda-a090-41ef-a2fc-0884a13d2cff",
"e58216ac-9dd8-47d8-bbd8-58497dc94a5d"
],
"includeRoles": [],
"excludeRoles": [],
"includeGuestsOrExternalUsers": null,
"excludeGuestsOrExternalUsers": null
},
"platforms": {
"includePlatforms": [
"all"
],
"excludePlatforms": []
}
},
"sessionControls": {
"disableResilienceDefaults": null,
"cloudAppSecurity": null,
"signInFrequency": null,
"persistentBrowser": null,
"applicationEnforcedRestrictions": {
"isEnabled": true
}
}
}
Other than the displayName, createdDateTime, modifiedDateTime, and of course the policy id, both policies match.
However, when reviewing the state file, you can see the addition session controls in v.2.45.0. Below is a comparison:
v.2.44.1 state
"session_controls": [
{
"application_enforced_restrictions_enabled": true,
"cloud_app_security_policy": "",
"disable_resilience_defaults": false,
"persistent_browser_mode": "",
"sign_in_frequency": 0,
"sign_in_frequency_period": ""
}
]
v2.45.0 state
"session_controls": [
{
"application_enforced_restrictions_enabled": true,
"cloud_app_security_policy": "",
"disable_resilience_defaults": false,
"persistent_browser_mode": "",
"sign_in_frequency": 0,
"sign_in_frequency_authentication_type": "primaryAndSecondaryAuthentication",
"sign_in_frequency_interval": "timeBased",
"sign_in_frequency_period": ""
}
]
Unfortunately, I don't have any policies created outside of terraform anymore.
Is it worth creating one using the GUI to compare against, or will that not make much difference?
Thanks!
I am getting the same issue, if do a terraform apply these settings appear to be applied, but then they re-appear in the plan (not idempotent).
I get the same issue for a policy where the only setting of in session_controls section is persistent_browser_mode = "never". I don't need neither sign_in_frequency_authentication_type nor sign_in_frequency_interval.
Provider ver.: v2.45.0
bug is caused by the default values on the optional parameter lines 585 and lines 595
https://github.com/hashicorp/terraform-provider-azuread/blob/7b69d8352eb24cb32017c871f47cf10cef300d4a/internal/services/conditionalaccess/conditional_access_policy_resource.go#L585
this line also is related and sets signin frequency it to 0 which may trigger it to use defaults https://github.com/hashicorp/terraform-provider-azuread/blob/7b69d8352eb24cb32017c871f47cf10cef300d4a/internal/services/conditionalaccess/conditionalaccess.go#L158
here is the block for session controls sign in frequency isEnabled can be false [SignInFrequency <IMicrosoftGraphSignInFrequencySessionControl>]: signInFrequencySessionControl [(Any) <Object>]: This indicates any property can be added to this object. [IsEnabled <Boolean?>]: Specifies whether the session control is enabled. [AuthenticationType <String>]: signInFrequencyAuthenticationType [FrequencyInterval <String>]: signInFrequencyInterval [Type <String>]: signinFrequencyType [Value <Int32?>]: The number of days or hours.
reference https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.identity.signins/new-mgidentityconditionalaccesspolicy?view=graph-powershell-1.0
