maester icon indicating copy to clipboard operation
maester copied to clipboard
verified publisher icon maester365

Test-MtConditionalAccessWhatIf fails with response 'Forbidden'

Open jg-declarative opened this issue 1 year ago • 5 comments

Custom Conditional Access tests using the provided Test-MtConditionalAccessWhatIf function fail with forbidden response code.

Same error generated with GitHub Actions and local Invoke-Maester command.

Powershell version 7.4.1 User has Global Admin permissions on the tenant.

image

Attempted tests (userids removed):

`Describe "Conditional Access WhatIf" {

    It "CAP.001: Block access to the Azure portal for non-admin users" {
        Test-MtConditionalAccessWhatIf  -UserId '<GUID>' -IncludeApplications "00000002-0000-0ff1-ce00-000000000000"  | Should -Contain "block"
    }

} Describe "Contoso.ConditionalAccess" { It "Microsoft 365 access requires MFA" {

    $userId = (Get-MgUser -UserId '[email protected]').Id
    $sharePointAppId = '67ad5377-2d78-4ac2-a867-6300cda00e85'

    $policiesEnforced = Test-MtConditionalAccessWhatIf -UserId $userId `
        -IncludeApplications $sharePointAppId `

    $policiesEnforced.grantControls.builtInControls | Should -Contain "mfa"
}

}`

jg-declarative avatar Apr 13 '24 03:04 jg-declarative

It requires the Policy.ReadWrite.ConditionalAccess scope which isn't requested atm.

AFAIK there's no read-only permission yet during the private preview of the underlying graph API. Likely one of the reasons they disabled the included tests for the moment (https://github.com/maester365/maester/commit/d548a5af03e89ecb179708c6ffab4c1c075a3d37)

fflaten avatar Apr 13 '24 15:04 fflaten

@fflaten thanks for pointing this out. We still should add some documentation here. @jg-declarative If you connect to graph using Connect-MgGraph -Scopes "Policy.ReadWrite.ConditionalAccess" one time you can grant this permission for your users.

f-bader avatar Apr 13 '24 15:04 f-bader

@fflaten @f-bader thanks guys super helpful! Are these still undocumented from the Microsoft side?

jg-declarative avatar Apr 13 '24 22:04 jg-declarative

Yes public documentation should arrive soon. Thanks to the very gracious product manager we got approval to use it a bit early.

f-bader avatar Apr 13 '24 22:04 f-bader

It requires the Policy.ReadWrite.ConditionalAccess scope which isn't requested atm.

AFAIK there's no read-only permission yet during the private preview of the underlying graph API. Likely one of the reasons they disabled the included tests for the moment (d548a5a)

I have had some success using Policy.Read.ConditionalAccess for this as well.

A side note is that I have found the API to be vaguely flakey at the moment, sometimes it picks up my tests for "other" as a ClientAppType with the correct policies and othertimes it doesn't (tried with both Read and ReadWrite permissions)

RobinDadswell avatar Apr 23 '24 13:04 RobinDadswell

Added the missing scope to the module. Should be in one of the next public versions

f-bader avatar May 18 '24 20:05 f-bader

@fflaten @f-bader do we know when this API version will be in GA?

Mahmoud154Farag avatar Jul 30 '24 13:07 Mahmoud154Farag

No idea. Still missing public beta documentation AFAIK. @merill might know more.

fflaten avatar Jul 30 '24 13:07 fflaten

thanks for the update

Mahmoud154Farag avatar Jul 30 '24 13:07 Mahmoud154Farag