Microsoft365DSC
Microsoft365DSC copied to clipboard
microsoft
Applying a AADConditionalAccessPolicy fails due to empty SessionControls
Details of the scenario you tried and the problem that is occurring
I am applying a AADConditionalAccessPolicy configuration where the session control parameters have not been defined. This will fail.
Verbose logs showing the problem
Error Message: The server could not process the request because it is malformed or incorrect.
Message ID: BadRequest,Microsoft.Graph.PowerShell.Cmdlets.UpdateMgIdentityConditionalAccessPolicy_UpdateExpanded
Suggested solution to the issue
I believe the issues results from the way the SessionControls are being initialized and set in the module. The SessionControls are being initialized with a $Null value: https://github.com/microsoft/Microsoft365DSC/blob/275fd3c16a440bdc11d2ad16b19f35480ffc5620/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.psm1#L1612 in Set-TargetResource. Now, if no parameters for the SessionControl exist in the config (which I believe is a valid use case), this inital value ($null) will not get changed.
Basically the subsequent code line will return false:
if ($ApplicationEnforcedRestrictionsIsEnabled -or $CloudAppSecurityIsEnabled -or $SignInFrequencyIsEnabled -or $PersistentBrowserIsEnabled)
and thus, the $null-valued SessionControls will make it into the configuration that will be applied to the tenant in https://github.com/microsoft/Microsoft365DSC/blob/275fd3c16a440bdc11d2ad16b19f35480ffc5620/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.psm1#L1666 .
The DSC configuration that is used to reproduce the issue (as detailed as possible)
# insert configuration here
The operating system the target node is running
PS Version: 5.1.20348.643
M365DSC version 1.22.511.1
Version of the DSC module that was used ('dev' if using current dev branch)
Hey Seb, I am trying a config with the following config:
AADConditionalAccessPolicy 77b84173-9189-4f6f-a796-2a98b35b10d6
{
ApplicationEnforcedRestrictionsIsEnabled = $False;
BuiltInControls = @("mfa");
ClientAppTypes = @("all");
CloudAppSecurityIsEnabled = $False;
CloudAppSecurityType = "";
Credential = $Credscredential;
DeviceFilterRule = "";
DisplayName = "NikTest3";
Ensure = "Present";
ExcludeApplications = @();
ExcludeDevices = @();
ExcludeGroups = @();
ExcludeLocations = @();
ExcludePlatforms = @();
ExcludeRoles = @();
ExcludeUsers = @();
GrantControlOperator = "OR";
IncludeApplications = @("None");
IncludeDevices = @();
IncludeGroups = @();
IncludeLocations = @();
IncludePlatforms = @();
IncludeRoles = @("Attack Payload Author","Attack Simulation Administrator");
IncludeUserActions = @();
IncludeUsers = @();
PersistentBrowserIsEnabled = $False;
PersistentBrowserMode = "";
SignInFrequencyIsEnabled = $False;
SignInFrequencyType = "";
SignInRiskLevels = @();
State = "enabledForReportingButNotEnforced";
UserRiskLevels = @();
}
And it creates the Conditional Access Policy as expected even if it doesn't define the sessioncontrols parameter. Is this the scenario that is not working for you? Thanks
