MSFT_AADConditionalAccessPolicy sessioncontrols

[bartvermeersch]

I have an issue with the session controls in conditional access policies. Unfortunately I don't have the knowhow, nor infrastructure to test it thoroughly. So I want to discuss it here.

I believe these three properties should all return $false when the current values are undefined. Otherwise if you specify them as $false in your DSC config, the test will fail and the policy will be updated every time (in vain).

1. CloudAppSecurityIsEnabled

https://github.com/microsoft/Microsoft365DSC/blob/67746f9c18a1dd98823d32983ae4ca3ba21c7026/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.psm1#L657-L658

I believe this should be casted explicitly to Boolean otherwise it contains $null instead of $false when undefined: CloudAppSecurityIsEnabled = [System.Boolean]$Policy.SessionControls.CloudAppSecurity.IsEnabled

2. SignInFrequencyIsEnabled

https://github.com/microsoft/Microsoft365DSC/blob/67746f9c18a1dd98823d32983ae4ca3ba21c7026/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.psm1#L661-L662

I believe the comment (and code) is wrong, it should also return $false when undefined: SignInFrequencyIsEnabled = [System.Boolean]$Policy.SessionControls.SignInFrequency.IsEnabled

3. PersistentBrowserIsEnabled

https://github.com/microsoft/Microsoft365DSC/blob/67746f9c18a1dd98823d32983ae4ca3ba21c7026/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.psm1#L668-L669

Again, I believe the comment (and code) is wrong, it should also return $false when undefined: PersistentBrowserIsEnabled = [System.Boolean]$Policy.SessionControls.PersistentBrowser.IsEnabled