terraform-provider-azuread icon indicating copy to clipboard operation
terraform-provider-azuread copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

azuread_group_role_management_policy does not work and result in Invalid policy when authentication context is setup

Open SuryenduB opened this issue 11 months ago • 3 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

Terraform v1.9.3 on windows_amd64

  • provider registry.terraform.io/hashicorp/azuread v3.0.2
  • provider registry.terraform.io/hashicorp/time v0.12.1

Affected Resource(s)

  • azuread_group_role_management_policy

Terraform Configuration Files

resource "azuread_group" "pimgroup1" {
  display_name            = "glob_gsec_pim_admins_roles_workplace"
  security_enabled        = true
  assignable_to_role      = true
  prevent_duplicate_names = true

}

resource "azuread_group" "pimapprover" {
  display_name            = "glob_gsec_pimapprovers"
  security_enabled        = true
  prevent_duplicate_names = true
}


resource "azuread_group_role_management_policy" "pimpolicy1" {
  group_id = split("/", azuread_group.pimgroup1.id)[2]
  role_id  = "member"

  activation_rules {
    maximum_duration                                   = "PT16H"
    require_justification                              = true
    require_ticket_info                                = true
    required_conditional_access_authentication_context = "c2"

  }


}


resource "azuread_privileged_access_group_eligibility_schedule" "example" {
  for_each        = toset(local.user_ids)
  group_id        = split("/", azuread_group.pimgroup1.id)[2]
  principal_id    = split("/", each.value)[2]
  assignment_type = "member"
  duration        = "P30D"
  justification   = "as requested"
}

Debug Output

https://gist.github.com/SuryenduB/0a81d846643fc653d1b8e9a773e69907

Panic Output

Expected Behavior

image Expected behaviour authentication to be set.

Actual Behavior

Authentication Context is not set. image

Steps to Reproduce

  1. terraform apply

Important Factoids

References

  • #0000

SuryenduB avatar Dec 26 '24 21:12 SuryenduB

Seeing same issue with TF 1.10.4 and AzureAD 3.1.0. The original debug log on this ticket caught me out as was comparing with my issue, but the debug log appears to be for a successful run. My debug log can be found here - https://gist.github.com/jamesw4/2ec23beeead41af5ff2e481d890a0ef6

It seems that claimValue for the auth context is being set to null. I had a quick look at the code but by no means an expert, but wondering if it seeing there is already a value (there is, its null) and its setting that rather than taking the provided value?

Before the apply the rule looks like this:

{
  "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyAuthenticationContextRule",
  "id": "AuthenticationContext_EndUser_Assignment",
  "isEnabled": false,
  "claimValue": null,
  "target": {
    "caller": "EndUser",
    "operations": [
      "all"
    ],
    "level": "Assignment",
    "inheritableSettings": [],
    "enforcedSettings": []
  }
}

Then the patch from terraform looks like this, i.e. its switched to enabled, but claimValue is still null, some of the nesting also looks off?:

{
  "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyAuthenticationContextRule",
  "claimValue": null,
  "id": "AuthenticationContext_EndUser_Assignment",
  "isEnabled": true,
  "target": {
    "caller": "EndUser",
    "enforcedSettings": [],
    "inheritableSettings": [],
    "level": "Assignment",
    "operations": [
      "all"
    ]
  }
}

jamesw4 avatar Jan 17 '25 14:01 jamesw4

Do we have any updates on this issue? I have same issue whiles trying to set required_conditional_access_authentication_context, it ignored the changes and not setting it as it should be according to how I will set it in the properties

hungbui78 avatar Apr 28 '25 09:04 hungbui78

Still no updates? The issue still persist!

hungbui78 avatar May 05 '25 10:05 hungbui78

Just ran in to this, issue still exists it seems like...

Hyltcavl avatar Oct 09 '25 15:10 Hyltcavl

For anyone needing an interim-solution to this particular issue, the recent release of the v0.2.0 msgraph provider makes for a reasonable work-around.

Using @jamesw4 example above, can be achieved with the following snippet:

resource "msgraph_update_resource" "update_authentication_context_enduser_assignment" {
  url = "policies/roleManagementPolicies/${azuread_group_role_management_policy.example.id}/rules/AuthenticationContext_EndUser_Assignment"
  body = {
    "@odata.type" = "#microsoft.graph.unifiedRoleManagementPolicyAuthenticationContextRule"
    id            = "AuthenticationContext_EndUser_Assignment"
    isEnabled     = true
    claimValue    = "c1"
    target = {
      caller              = "EndUser"
      operations          = ["all"]
      level               = "Assignment"
      inheritableSettings = []
      enforcedSettings    = []
    }
  }
}

aaronwhite42 avatar Oct 09 '25 23:10 aaronwhite42