Microsoft365DSC icon indicating copy to clipboard operation
Microsoft365DSC copied to clipboard
verified publisher icon microsoft

AADConditionalAccessPolicy: ExcludeGuestOrExternalUserTypes with value "b2bCollaborationGuest" is not applied

Open gbs916 opened this issue 1 year ago • 0 comments

Description of the issue

I want to create a conditional access policy who use the parameter "Guest or external users" in the exclude part. When I extracted my conditional access policy I get the following value : ExcludeGuestOrExternalUserTypes = @("b2bCollaborationGuest"); But when I use it in my deployment the value is not applied and guest account are not excluded. I have the problem with the AuthenticationStrength parameter who is also not applied when set... I already opened another case for that.

Microsoft 365 DSC Version

1.24.424.1

Which workloads are affected

Azure Active Directory (Entra ID)

The DSC configuration

AADConditionalAccessPolicy "AADConditionalAccessPolicy-Require MFA and password change for high risk users"
        {
            AuthenticationContexts               = @();
            AuthenticationStrength               = "Multifactor authentication";
            BuiltInControls                      = @();
            ClientAppTypes                       = @("all");
            CloudAppSecurityType                 = "";
            Credential                           = $Credscredential;
            CustomAuthenticationFactors          = @();
            DeviceFilterRule                     = "";
            DisplayName                          = "Require MFA and password change for high risk users";
            Ensure                               = "Present";
            ExcludeApplications                  = @();
            ExcludeExternalTenantsMembers        = @();
            ExcludeExternalTenantsMembershipKind = "all";
            ExcludeGroups                        = @("GPAZ-AzureAD-MFA-Bypass");
            ExcludeGuestOrExternalUserTypes      = @("b2bCollaborationGuest");
            ExcludeLocations                     = @();
            ExcludePlatforms                     = @();
            ExcludeRoles                         = @();
            ExcludeUsers                         = @();
            GrantControlOperator                 = "AND";
            Id                                   = "";
            IncludeApplications                  = @("All");
            IncludeExternalTenantsMembers        = @();
            IncludeExternalTenantsMembershipKind = "";
            IncludeGroups                        = @();
            IncludeLocations                     = @();
            IncludePlatforms                     = @();
            IncludeRoles                         = @();
            IncludeUserActions                   = @();
            IncludeUsers                         = @("All");
            PersistentBrowserMode                = "";
            SignInFrequencyInterval              = "everyTime";
            SignInFrequencyIsEnabled             = $True;
            SignInFrequencyType                  = "";
            SignInRiskLevels                     = @();
            State                                = "enabled";
            UserRiskLevels                       = @("high");
        }

Verbose logs showing the problem

No response

Environment Information + PowerShell Version

No response

gbs916 avatar May 03 '24 11:05 gbs916