Microsoft365DSC
Microsoft365DSC copied to clipboard
microsoft
AADConditionalAccessPolicy: deployment bug since version 1.24.522.1. It's working with 1.24.515.2
Description of the issue
I'm not able to use the latest version 1.24.522.1 because I have a deployment bug that I don't have with 1.24.515.2. This only concerns a few conditional access policies with specific configuration. The error I get is :
Set-Targetresource: Failed change policy CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime
If I delete the policy I get the same kind of message but with failed to create policy message. Without changing anything else except the DSC module version, I have a different result. I noticed that with module 1.24.522.1 I have an additional property that appears in the verbose log, which is not set with the 1.24.515.2 module. It's this one: includeGuestsOrExternalUsers=$null
Here the log when it's successfully deployed with module 1.24.515.2
Updating existing policy with values: ConditionalAccessPolicyId=8ef2790f-bd61-420e-a63a-7696463ba906
Conditions={Applications={ExcludeApplications=()
IncludeApplications=(All)}
ClientAppTypes=(all)
Platforms=$null
SignInRiskLevels=()
UserRiskLevels=(high)
Users={ExcludeGroups=(4d724a52-9dd2-4a2e-aa66-da1c54ee56ae)
excludeGuestsOrExternalUsers={externalTenants={@odata.type=#microsoft.graph.conditionalAccessAllExternalTenants
membershipKind=all}
guestOrExternalUserTypes=b2bCollaborationGuest}
ExcludeRoles=()
ExcludeUsers=()
IncludeGroups=()
IncludeRoles=()
IncludeUsers=(All)}}
DisplayName=CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime
GrantControls={authenticationStrength={@odata.type=#microsoft.graph.authenticationStrengthPolicy
id=00000000-0000-0000-0000-000000000002}
BuiltInControls=(passwordChange)
Operator=AND}
SessionControls={ApplicationEnforcedRestrictions={}
SignInFrequency={frequencyInterval=everyTime
isEnabled=True}}
State=disabled
VERBOSE: [fv-az631-198]: [[AADConditionalAccessPolicy]CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime::[EntraID]EntraID_Configuration] Set Targetresource: Finished processing Policy CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime
VERBOSE: [fv-az631-198]: LCM: [ End Set ] [[AADConditionalAccessPolicy]CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime::[EntraID]EntraID_Configuration] in 2.0160 seconds.
VERBOSE: [fv-az631-198]: LCM: [ End Resource ] [[AADConditionalAccessPolicy]CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime::[EntraID]EntraID_Configuration]
And the log when it failed with module 1.24.522.1 :
Updating existing policy with values: ConditionalAccessPolicyId=8ef2790f-bd61-420e-a63a-7696463ba906
conditions={applications={excludeApplications=()
includeApplications=(All)}
clientAppTypes=(all)
platforms=$null
signInRiskLevels=()
userRiskLevels=(high)
users={excludeGroups=(4d724a52-9dd2-4a2e-aa66-da1c54ee56ae)
excludeGuestsOrExternalUsers={externalTenants={@odata.type=#microsoft.graph.conditionalAccessAllExternalTenants
membershipKind=all}
guestOrExternalUserTypes=b2bCollaborationGuest}
excludeRoles=()
includeGroups=()
includeGuestsOrExternalUsers=$null
includeRoles=()
includeUsers=(All)}}
displayName=CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime
grantControls={authenticationStrength={@odata.type=#microsoft.graph.authenticationStrengthPolicy
id=00000000-0000-0000-0000-000000000002}
builtInControls=(passwordChange)
operator=AND}
sessionControls={applicationEnforcedRestrictions={}
signInFrequency={frequencyInterval=everyTime
isEnabled=True}}
state=disabled
VERBOSE: [fv-az520-935]: [[AADConditionalAccessPolicy]CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime::[EntraID]EntraID_Configuration] PATCH https://graph.microsoft.com/beta/identity/conditionalAccess/policies/8ef2790f-bd61-420e-a63a-7696463ba906 with 1076-byte payload
VERBOSE: [fv-az520-935]: [[AADConditionalAccessPolicy]CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime::[EntraID]EntraID_Configuration] received 606-byte response of content type application/json
VERBOSE: [fv-az520-935]: [[AADConditionalAccessPolicy]CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime::[EntraID]EntraID_Configuration] Set-Targetresource: Failed change policy
CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime
VERBOSE: [fv-az520-935]: [[AADConditionalAccessPolicy]CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime::[EntraID]EntraID_Configuration] Set-Targetresource: Finished processing Policy CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime
VERBOSE: [fv-az520-935]: LCM: [ End Set ] [[AADConditionalAccessPolicy]CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime::[EntraID]EntraID_Configuration] in 1.0010 seconds.
VERBOSE: [fv-az520-935]: LCM: [ End Resource ] [[AADConditionalAccessPolicy]CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime::[EntraID]EntraID_Configuration]
Microsoft 365 DSC Version
1.24.522.1
Which workloads are affected
Azure Active Directory (Entra ID)
The DSC configuration
AADConditionalAccessPolicy "AADConditionalAccessPolicy-CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime"
{
AuthenticationContexts = @();
AuthenticationStrength = "Multifactor authentication";
BuiltInControls = @("passwordChange");
ClientAppTypes = @("all");
CloudAppSecurityType = "";
Credential = $Credscredential;
CustomAuthenticationFactors = @();
DeviceFilterRule = "";
DisplayName = "CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime";
Ensure = "Present";
ExcludeApplications = @();
ExcludeExternalTenantsMembers = @();
ExcludeExternalTenantsMembershipKind = "all";
ExcludeGroups = @("GPAZ-AzureAD-MFA-Bypass");
ExcludeGuestOrExternalUserTypes = @("b2bCollaborationGuest");
ExcludeLocations = @();
ExcludePlatforms = @();
ExcludeRoles = @();
ExcludeUsers = @();
GrantControlOperator = "AND";
Id = "";
IncludeApplications = @("All");
IncludeExternalTenantsMembers = @();
IncludeExternalTenantsMembershipKind = "";
IncludeGroups = @();
IncludeLocations = @();
IncludePlatforms = @();
IncludeRoles = @();
IncludeUserActions = @();
IncludeUsers = @("All");
PersistentBrowserMode = "";
SignInFrequencyInterval = "everyTime";
SignInFrequencyIsEnabled = $True;
SignInFrequencyType = "";
SignInRiskLevels = @();
State = "disabled";
TransferMethods = "";
UserRiskLevels = @("high");
}
AADConditionalAccessPolicy "AADConditionalAccessPolicy-CAP105-Internals-AuthenticationContext-NoCondition-CompliantAndCommonCriteriaRestricted"
{
AuthenticationContexts = @("Common Criteria Restricted");
BuiltInControls = @("compliantDevice");
ClientAppTypes = @("all");
CloudAppSecurityType = "";
Credential = $Credscredential;
CustomAuthenticationFactors = @();
DeviceFilterRule = "";
DisplayName = "CAP105-Internals-AuthenticationContext-NoCondition-CompliantAndCommonCriteriaRestricted";
Ensure = "Present";
ExcludeApplications = @();
ExcludeExternalTenantsMembers = @();
ExcludeExternalTenantsMembershipKind = "all";
ExcludeGroups = @();
ExcludeGuestOrExternalUserTypes = @("internalGuest","b2bCollaborationGuest","b2bCollaborationMember","b2bDirectConnectUser","otherExternalUser","serviceProvider");
ExcludeLocations = @();
ExcludePlatforms = @();
ExcludeRoles = @();
ExcludeUsers = @();
GrantControlOperator = "AND";
Id = "39d6eb05-91c5-460e-a4d5-c7e3765bd2db";
IncludeApplications = @();
IncludeExternalTenantsMembers = @();
IncludeExternalTenantsMembershipKind = "";
IncludeGroups = @();
IncludeLocations = @();
IncludePlatforms = @();
IncludeRoles = @();
IncludeUserActions = @();
IncludeUsers = @("All");
PersistentBrowserMode = "";
SignInFrequencyType = "";
SignInRiskLevels = @();
State = "disabled";
TermsOfUse = "Common Criteria Restricted";
TransferMethods = "";
UserRiskLevels = @();
}
AADConditionalAccessPolicy "AADConditionalAccessPolicy-CAP106-Externals-AuthenticationContext-NoCondition-CommonCriteriaRestricted"
{
AuthenticationContexts = @("Common Criteria Restricted");
BuiltInControls = @("compliantDevice");
ClientAppTypes = @("all");
CloudAppSecurityType = "";
Credential = $Credscredential;
CustomAuthenticationFactors = @();
DeviceFilterRule = "";
DisplayName = "CAP106-Externals-AuthenticationContext-NoCondition-CommonCriteriaRestricted";
Ensure = "Present";
ExcludeApplications = @();
ExcludeExternalTenantsMembers = @();
ExcludeExternalTenantsMembershipKind = "";
ExcludeGroups = @();
ExcludeLocations = @();
ExcludePlatforms = @();
ExcludeRoles = @();
ExcludeUsers = @();
GrantControlOperator = "OR";
Id = "40c885e0-27de-467d-a720-877f7f7f2d6d";
IncludeApplications = @();
IncludeExternalTenantsMembers = @();
IncludeExternalTenantsMembershipKind = "all";
IncludeGroups = @();
IncludeGuestOrExternalUserTypes = @("internalGuest","b2bCollaborationGuest","b2bCollaborationMember","b2bDirectConnectUser","otherExternalUser","serviceProvider");
IncludeLocations = @();
IncludePlatforms = @();
IncludeRoles = @();
IncludeUserActions = @();
IncludeUsers = @();
PersistentBrowserMode = "";
SignInFrequencyType = "";
SignInRiskLevels = @();
State = "disabled";
TermsOfUse = "Common Criteria Restricted";
TransferMethods = "";
UserRiskLevels = @();
}
Verbose logs showing the problem
Updating existing policy with values: ConditionalAccessPolicyId=8ef2790f-bd61-420e-a63a-7696463ba906 conditions={applications={excludeApplications=() includeApplications=(All)} clientAppTypes=(all) platforms=$null signInRiskLevels=() userRiskLevels=(high) users={excludeGroups=(4d724a52-9dd2-4a2e-aa66-da1c54ee56ae) excludeGuestsOrExternalUsers={externalTenants={@odata.type=#microsoft.graph.conditionalAccessAllExternalTenants membershipKind=all} guestOrExternalUserTypes=b2bCollaborationGuest} excludeRoles=() excludeUsers=() includeGroups=() includeGuestsOrExternalUsers=$null includeRoles=() includeUsers=(All)}} displayName=CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime grantControls={authenticationStrength={@odata.type=#microsoft.graph.authenticationStrengthPolicy id=00000000-0000-0000-0000-000000000002} builtInControls=(passwordChange) operator=AND} sessionControls={applicationEnforcedRestrictions={} signInFrequency={frequencyInterval=everyTime isEnabled=True}} state=disabled VERBOSE: [WINAA5CG0368CWW]: [[AADConditionalAccessPolicy]CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime::[EntraID]EntraID_Configuration] PATCH https://graph.microsoft.com/beta/identity/conditionalAccess/policies/8ef2790f-bd61-420e-a63a-7696463ba906 with 1076-byte payload VERBOSE: [WINAA5CG0368CWW]: [[AADConditionalAccessPolicy]CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime::[EntraID]EntraID_Configuration] received 606-byte response of content type application/json VERBOSE: [WINAA5CG0368CWW]: [[AADConditionalAccessPolicy]CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime::[EntraID]EntraID_Configuration] Set-Targetresource: Failed change policy CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime VERBOSE: [WINAA5CG0368CWW]: [[AADConditionalAccessPolicy]CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime::[EntraID]EntraID_Configuration]
Set-Targetresource: Finished processing Policy CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime
VERBOSE: [WINAA5CG0368CWW]: LCM: [ End Set ] [[AADConditionalAccessPolicy]CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime::[EntraID]EntraID_Configuration] in
2.1450 seconds.
VERBOSE: [WINAA5CG0368CWW]: LCM: [ End Resource ] [[AADConditionalAccessPolicy]CAP003-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime::[EntraID]EntraID_Configuration]
Environment Information + PowerShell Version
No response
