terraform-provider-azuread icon indicating copy to clipboard operation
terraform-provider-azuread copied to clipboard
verified publisher icon hashicorp

Add "AppProtectionPolicy" to Conditional Access Grant Control

Open zach-griffin opened this issue 1 year ago • 3 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Currently, the provider does not support the "Require App Protection Policy" grant control. The currently supported "Require approved client app" is being sunset by Microsoft and they are requiring conditional access policies to migrate to the new "Require App Protection Policy" control. I would like to request that we add the AppProtectionPolicy control to supported built_in_controls here: https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/conditional_access_policy#built_in_controls

New or Affected Resource(s)

  • azuread_conditional_access_policy

Potential Terraform Configuration

resource "azuread_conditional_access_policy" "sample-policy" {
  display_name = "Sample Policy"
  state        = "enabled"

  conditions {
    client_app_types    = ["All"]

    applications {
      included_applications = ["All"]
    }
    users {
      included_users = ["All"]
    }
  }
  
  grant_controls {
    operator          = "OR"
    built_in_controls = ["appProtectionPolicy"]
  }
}

References

  • https://learn.microsoft.com/en-us/entra/identity/conditional-access/migrate-approved-client-app
  • https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-policy-approved-app-or-app-protection

zach-griffin avatar Feb 14 '24 17:02 zach-griffin

This has already been implemented by setting built_in_controls = ["compliantApplication"].

nbaju1 avatar Feb 16 '24 09:02 nbaju1

@nbaju1 good to know, thanks! We should probably still have that listed in the documentation somewhere though, right?

zach-griffin avatar Feb 16 '24 13:02 zach-griffin

@zach-griffin, "compliantApplication" is listed as one of the options for build_in_controls in the docs, ref: https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/conditional_access_policy#built_in_controls

nbaju1 avatar Feb 19 '24 07:02 nbaju1

Thanks for requesting this @zach-griffin. As this seems to now be supported in the provider, I'll close this issue as resolved.

manicminer avatar May 09 '24 09:05 manicminer