hashicorp
BadRequest: 1007: Incoming │ ConditionalAccessPolicy object is null or does not match the schema of ConditionalAccessPolicy type.
Issue
Getting the following error when running terraform apply to create a brand new basic conditional access policy
azuread_conditional_access_policy.example_policy: Creating...
╷
│ Error: Could not create conditional access policy
│
│ with azuread_conditional_access_policy.example_policy,
│ on main.tf line 17, in resource "azuread_conditional_access_policy" "example_policy":
│ 17: resource "azuread_conditional_access_policy" "example_policy" {
│
│ ConditionalAccessPoliciesClient.BaseClient.Post(): unexpected status 400 with OData error: BadRequest: 1007: Incoming
│ ConditionalAccessPolicy object is null or does not match the schema of ConditionalAccessPolicy type. For examples, please
│ see API documentation at
│ https://docs.microsoft.com/en-us/graph/api/conditionalaccessroot-post-policies?view=graph-rest-1.0.``
Steps Taken
Step 1 - Run terrform plan - reports 1 add is going to occur Step 2 - run terraform apply - receive error noted above
Terraform Plan Results
PS d:\github\xxxxl\iam-azuread-cap\tf\xxxx> terraform plan
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the
following symbols:
+ create
Terraform will perform the following actions:
# azuread_conditional_access_policy.example_policy will be created
+ resource "azuread_conditional_access_policy" "example_policy" {
+ display_name = "Test Policy2"
+ id = (known after apply)
+ state = "disabled"
+ conditions {
+ client_app_types = [
+ "all",
]
+ applications {
+ excluded_applications = []
+ included_applications = [
+ "All",
]
+ included_user_actions = []
}
+ locations {
+ excluded_locations = []
+ included_locations = []
}
+ platforms {
+ excluded_platforms = []
+ included_platforms = []
}
+ users {
+ excluded_groups = []
+ excluded_roles = []
+ excluded_users = []
+ included_groups = []
+ included_roles = []
+ included_users = [
+ "4cbc2c08-93e6-40c1-b4a1-9xxxxxxxxx",
]
}
}
+ grant_controls {
+ built_in_controls = [
+ "unknownFutureValue",
]
+ operator = "AND"
}
}
Plan: 1 to add, 0 to change, 0 to destroy.
Enter a value: yes
Service Principal Permissions
Microsoft Graph (2) Policy.Read.All Application Read your organization's policies Yes Granted for XXXX Policy.ReadWrite.ConditionalAccess Application Read and write your organization's conditional access policies Yes Granted for XXXXX
+1 I too am experiencing this behavior when adding or modifying conditional access policies. Terraform version 1.1.9, azuread provider v2.22.0.
Changing the "grant_controls.built_in_controls" value to anything other than "unknownFutureValue" solved the problem in my case. Hope this helps.
+ grant_controls {
+ built_in_controls = [
+ "domainJoinedDevice",
]
+ operator = "AND"
}
Final working snippet:
resource "azuread_conditional_access_policy" "CA01_Allow_Specific_Users_From_India" { display_name = "CA01 Allow Specific Users From India" state = "enabledForReportingButNotEnforced"
conditions {
client_app_types = [
"all",
]
sign_in_risk_levels = []
user_risk_levels = []
applications {
excluded_applications = []
included_applications = [
"All",
]
}
locations {
excluded_locations = []
included_locations = [
"12d9b88b-7949-4807-be87-c2f995488c76",
]
}
users {
excluded_groups = []
excluded_roles = []
excluded_users = []
included_groups = []
included_roles = []
included_users = data.azuread_users.included_users.object_ids
}
}
grant_controls {
operator = "AND"
built_in_controls = [
"domainJoinedDevice",
]
}
session_controls {
application_enforced_restrictions_enabled = false
persistent_browser_mode = "always"
}
timeouts {}
}
Hi @mikeburns7, thanks for reporting this. The Conditional Access API has a number of unique behaviors which make it difficult to debug this kind of error, but if you can reproduce this and send a debug log then we can try to work out which property is causing this.
Perhaps also try @bshs-haunt's workaround (thanks!) and see if this helps with your configuration?
