Microsoft365DSC
Microsoft365DSC copied to clipboard
microsoft
AADConditionalAccessPolicy seems to not take care about AuthenticationStrength
Description of the issue
When I try to deploy a conditional access policy (new or existing) the AADConditionalAccessPolicy seems not take care about the AuthenticationStrength parameter. I set it to AuthenticationStrength = "Multifactor authentication". There is no error during deployment, but the authentication strength is not set.
Microsoft 365 DSC Version
1.23.1220.1
Which workloads are affected
Azure Active Directory
The DSC configuration
Parameters are :
AADConditionalAccessPolicy:
- DisplayName: "KG - Default Users Policy (Device Compliant Based OR MFA)"
ApplicationEnforcedRestrictionsIsEnabled: False
AuthenticationContexts: []
AuthenticationStrength: "Multifactor authentication"
BuiltInControls: ["compliantDevice"]
ClientAppTypes: ["all"]
CloudAppSecurityIsEnabled: False
CloudAppSecurityType: ""
CustomAuthenticationFactors: []
DeviceFilterRule: ""
Ensure: "Present"
ExcludeApplications:[]
ExcludeExternalTenantsMembers: []
ExcludeExternalTenantsMembershipKind: ""
ExcludeGroups: []
ExcludeLocations: []
ExcludePlatforms: []
ExcludeRoles: []
ExcludeUsers: ["[email protected]"]
GrantControlOperator: "OR"
IncludeApplications: ["All"]
IncludeExternalTenantsMembers: []
IncludeExternalTenantsMembershipKind: ""
IncludeGroups: []
IncludeLocations: []
IncludePlatforms: []
IncludeRoles: []
IncludeUserActions: []
IncludeUsers: ["All"]
PersistentBrowserIsEnabled: False
PersistentBrowserMode: ""
SignInFrequencyInterval: "unknownFutureValue"
SignInFrequencyIsEnabled: False
SignInFrequencyType: ""
SignInRiskLevels: []
State: "enabled"
UserRiskLevels: []
AADConditionalAccessPolicy $AADConditionalAccessPolicy.DisplayName {
ApplicationEnforcedRestrictionsIsEnabled = $AADConditionalAccessPolicy.ApplicationEnforcedRestrictionsIsEnabled
ApplicationId = $ApplicationId
AuthenticationContexts = $AADConditionalAccessPolicy.AuthenticationContexts
BuiltInControls = $AADConditionalAccessPolicy.BuiltInControls
CertificateThumbprint = $Thumbprint
ClientAppTypes = $AADConditionalAccessPolicy.ClientAppTypes
CloudAppSecurityIsEnabled = $AADConditionalAccessPolicy.CloudAppSecurityIsEnabled
CloudAppSecurityType = $AADConditionalAccessPolicy.CloudAppSecurityType
CustomAuthenticationFactors = $AADConditionalAccessPolicy.CustomAuthenticationFactors
DeviceFilterRule = $AADConditionalAccessPolicy.DeviceFilterRule
DisplayName = $AADConditionalAccessPolicy.DisplayName
Ensure = $AADConditionalAccessPolicy.Ensure
ExcludeApplications = $AADConditionalAccessPolicy.ExcludeApplications
ExcludeExternalTenantsMembers = $AADConditionalAccessPolicy.ExcludeExternalTenantsMembers
ExcludeExternalTenantsMembershipKind = $AADConditionalAccessPolicy.ExcludeExternalTenantsMembershipKind
ExcludeGroups = $AADConditionalAccessPolicy.ExcludeGroups
ExcludeLocations = $AADConditionalAccessPolicy.ExcludeLocations
ExcludePlatforms = $AADConditionalAccessPolicy.ExcludePlatforms
ExcludeRoles = $AADConditionalAccessPolicy.ExcludeRoles
ExcludeUsers = $AADConditionalAccessPolicy.ExcludeUsers
GrantControlOperator = $AADConditionalAccessPolicy.GrantControlOperator
Id = $AADConditionalAccessPolicy.Id
IncludeApplications = $AADConditionalAccessPolicy.IncludeApplications
IncludeExternalTenantsMembers = $AADConditionalAccessPolicy.IncludeExternalTenantsMembers
IncludeExternalTenantsMembershipKind = $AADConditionalAccessPolicy.IncludeExternalTenantsMembershipKind
IncludeGroups = $AADConditionalAccessPolicy.IncludeGroups
IncludeLocations = $AADConditionalAccessPolicy.IncludeLocations
IncludePlatforms = $AADConditionalAccessPolicy.IncludePlatforms
IncludeRoles = $AADConditionalAccessPolicy.IncludeRoles
IncludeUserActions = $AADConditionalAccessPolicy.IncludeUserActions
IncludeUsers = $AADConditionalAccessPolicy.IncludeUsers
PersistentBrowserIsEnabled = $AADConditionalAccessPolicy.PersistentBrowserIsEnabled
PersistentBrowserMode = $AADConditionalAccessPolicy.PersistentBrowserMode
SignInFrequencyInterval = $AADConditionalAccessPolicy.SignInFrequencyInterval
SignInFrequencyIsEnabled = $AADConditionalAccessPolicy.SignInFrequencyIsEnabled
SignInFrequencyType = $AADConditionalAccessPolicy.SignInFrequencyType
SignInFrequencyValue = $AADConditionalAccessPolicy.SignInFrequencyValue
SignInRiskLevels = $AADConditionalAccessPolicy.SignInRiskLevels
State = $AADConditionalAccessPolicy.State
TenantId = $TenantId
UserRiskLevels = $AADConditionalAccessPolicy.UserRiskLevels
}
Verbose logs showing the problem
VERBOSE: [fv-az899-388]: LCM: [ Start Resource ] [[AADConditionalAccessPolicy]KG - Default Users Policy (Device
Compliant Based)::[EntraID]EntraID_Configuration]
VERBOSE: [fv-az899-388]: LCM: [ Start Test ] [[AADConditionalAccessPolicy]KG - Default Users Policy (Device
Compliant Based)::[EntraID]EntraID_Configuration]
VERBOSE: [fv-az899-388]: [[AADConditionalAccessPolicy]KG - Default Users Policy (Device
Compliant Based)::[EntraID]EntraID_Configuration] Testing configuration of AzureAD CA Policies
VERBOSE: [fv-az899-388]: [[AADConditionalAccessPolicy]KG - Default Users Policy (Device
Compliant Based)::[EntraID]EntraID_Configuration] Getting configuration of AzureAD Conditional Access Policy
VERBOSE: [fv-az899-388]: [[AADConditionalAccessPolicy]KG - Default Users Policy (Device
Compliant Based)::[EntraID]EntraID_Configuration] Id was NOT specified
VERBOSE: [fv-az899-388]: [[AADConditionalAccessPolicy]KG - Default Users Policy (Device
Compliant Based)::[EntraID]EntraID_Configuration] Get-TargetResource: Found existing Conditional Access policy
VERBOSE: [fv-az899-388]: [[AADConditionalAccessPolicy]KG - Default Users Policy (Device
Compliant Based)::[EntraID]EntraID_Configuration] Get-TargetResource: Process IncludeUsers
VERBOSE: [fv-az899-388]: [[AADConditionalAccessPolicy]KG - Default Users Policy (Device
Compliant Based)::[EntraID]EntraID_Configuration] Get-TargetResource: Process ExcludeUsers
VERBOSE: [fv-az899-388]: [[AADConditionalAccessPolicy]KG - Default Users Policy (Device
Compliant Based)::[EntraID]EntraID_Configuration] Get-TargetResource: Process IncludeGroups
VERBOSE: [fv-az899-388]: [[AADConditionalAccessPolicy]KG - Default Users Policy (Device
Compliant Based)::[EntraID]EntraID_Configuration] Get-TargetResource: Process ExcludeGroups
VERBOSE: [fv-az899-388]: [[AADConditionalAccessPolicy]KG - Default Users Policy (Device
Compliant Based)::[EntraID]EntraID_Configuration] Get-TargetResource: Location condition defined, processing
VERBOSE: [fv-az899-388]: [[AADConditionalAccessPolicy]KG - Default Users Policy (Device
Compliant Based)::[EntraID]EntraID_Configuration] Get-TargetResource: Processing IncludeLocations
VERBOSE: [fv-az899-388]: [[AADConditionalAccessPolicy]KG - Default Users Policy (Device
Compliant Based)::[EntraID]EntraID_Configuration] Get-TargetResource: Processing ExcludeLocations
VERBOSE: [fv-az899-388]: [[AADConditionalAccessPolicy]KG - Default Users Policy (Device
Compliant Based)::[EntraID]EntraID_Configuration] Get-TargetResource Result:
ApplicationEnforcedRestrictionsIsEnabled=False
ApplicationId=***
ApplicationSecret=$null
AuthenticationContexts=()
AuthenticationStrength=$null
Environment Information + PowerShell Version
OsName : Microsoft Windows Server 2022 Datacenter
OsOperatingSystemSKU : DatacenterServerEdition
OsArchitecture : 64-bit
WindowsVersion : 2009
WindowsBuildLabEx : 20348.1.amd64fre.fe_release.210507-1500
OsLanguage : en-US
OsMuiLanguages : {en-US}
Key : PSVersion
Value : 5.1.20348.2110
Name : PSVersion
Key : PSEdition
Value : Desktop
Name : PSEdition
Key : PSCompatibleVersions
Value : {1.0, 2.0, 3.0, 4.0...}
Name : PSCompatibleVersions
Key : BuildVersion
Value : 10.0.20348.2110
Name : BuildVersion
Key : CLRVersion
Value : 4.0.30319.42000
Name : CLRVersion
Key : WSManStackVersion
Value : 3.0
Name : WSManStackVersion
Key : PSRemotingProtocolVersion
Value : 2.3
Name : PSRemotingProtocolVersion
Key : SerializationVersion
Value : 1.1.0.1
Name : SerializationVersion
Any new on that ? I need to configured the authenticationStrength through M365 DSC. So "AuthenticationStrength = "Multifactor authentication";" is not taken into account.
AADConditionalAccessPolicy "AADConditionalAccessPolicy-KG - Default Users Policy (Device Compliant Based)"
{
AuthenticationContexts = @();
AuthenticationStrength = "Multifactor authentication";
BuiltInControls = @("compliantDevice");
ClientAppTypes = @("all");
CloudAppSecurityType = "";
Credential = $Credscredential;
CustomAuthenticationFactors = @();
DeviceFilterRule = "";
DisplayName = "Default Users Policy (device compliant or authenticationStrength)";
Ensure = "Present";
ExcludeApplications = @();
ExcludeExternalTenantsMembers = @();
ExcludeExternalTenantsMembershipKind = "";
ExcludeGroups = @();
ExcludeLocations = @();
ExcludePlatforms = @();
ExcludeRoles = @();
ExcludeUsers = @();
GrantControlOperator = "OR";
Id = "";
IncludeApplications = @("All");
IncludeExternalTenantsMembers = @();
IncludeExternalTenantsMembershipKind = "";
IncludeGroups = @();
IncludeLocations = @();
IncludePlatforms = @();
IncludeRoles = @();
IncludeUserActions = @();
IncludeUsers = @("All");
PersistentBrowserMode = "";
SignInFrequencyType = "";
SignInRiskLevels = @();
State = "disabled";
UserRiskLevels = @();
}
Thanks
