terraform-provider-azuread icon indicating copy to clipboard operation
terraform-provider-azuread copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

azuread_conditional_access_policy: Option to define authentication context in policy

Open robertbrandso opened this issue 1 year ago • 5 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

In a conditional access policy you have the option to choose an authentication context under Cloud apps or actions. This feature is in preview in Azure AD.

In the azuread_conditional_access_policy resource you have no option to define authentication context.

New or Affected Resource(s)

  • azuread_conditional_access_policy

Potential Terraform Configuration

resource "azuread_conditional_access_policy" "cau012" {
  display_name = "CAU012-AuthCon: Require MFA and compliant for sensitivity label confidential-v1.0"
  state        = "enabled"

  conditions {
    users {
      included_users  = ["All"]
    }
    applications {
      included_authentication_context = ["high"]
    }
    client_app_types = ["browser", "mobileAppsAndDesktopClients"]
  }

  grant_controls {
    built_in_controls = ["mfa", "compliantDevice"]
    operator          = "AND"
  }
}

References

If querying the API and looking at an existing policy with authentication context defined, it looks like this:

"applications": {
    "includeApplications": [],
    "excludeApplications": [],
    "includeUserActions": [],
    "includeAuthenticationContextClassReferences": [
        "c1"
    ]
}

robertbrandso avatar Sep 08 '22 20:09 robertbrandso

Just wanted to add a note to mention that this feature is apparently no longer in Preview status, so it would definitely be helpful to integrate it into the provider.

garretth9 avatar Sep 11 '23 18:09 garretth9

According to the docs it looks like this is still a preview/beta only feature

manicminer avatar Oct 27 '23 13:10 manicminer

Looking in the Microsoft Learn docs (https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-cloud-apps#authentication-context) (https://learn.microsoft.com/en-us/entra/identity-platform/developer-guide-conditional-access-authentication-context) and in the Entra portal itself, I can't seem to find any mention of the feature being in preview at this point. Not sure if there are some docs I'm missing?

bhendr5 avatar Nov 13 '23 22:11 bhendr5

@bhendr5 It's only present in the beta API and not in the stable API. For most resources we'd be able to offer this as an optional feature, but for CAPs the APIs are incompatible which currently precludes us from being able to use the beta API.

manicminer avatar Nov 13 '23 22:11 manicminer

Makes sense! Neglected to check the actual API my bad.

bhendr5 avatar Nov 13 '23 23:11 bhendr5