Microsoft365DSC
Microsoft365DSC copied to clipboard
microsoft
AADConditionalAccessPolicy with TermsOfUse failed to create
Description of the issue
hello, I have created a conditionalaccesspolicy with termofuse setup. I export it sucessfully, but when trying to import it to another tenant with others CA, only the one using terofuse failed to import with ModuleVersion '1.24.522.1'. Before importing, I have manually create a TermOfUse with same displayname. In eventlog, there is an error below. Error creating new policy: { Response status code does not indicate success: BadRequest (Bad Request). } \ at Set-TargetResource, C:\Program Files\WindowsPowerShell\Modules\Microsoft365dsc\1.24.522.1\DscResources\MSFT_AADConditionalAccessPolicy\MSFT_AADConditionalAccessPolicy.psm1: line 1682
How to import CA with TermOfUse ?
Microsoft 365 DSC Version
1.24.522.1
Which workloads are affected
Azure Active Directory (Entra ID)
The DSC configuration
AADConditionalAccessPolicy "AADConditionalAccessPolicy-Guests-Require-TOU"
{
ApplicationId = $ConfigurationData.NonNodeData.ApplicationId;
ApplicationsFilter = "CustomSecurityAttribute.CAExlude_ConditionalAccessPolicies -contains `"CA3017`"";
ApplicationsFilterMode = "exclude";
AuthenticationContexts = @();
BuiltInControls = @();
CertificateThumbprint = $ConfigurationData.NonNodeData.CertificateThumbprint;
ClientAppTypes = @("all");
CloudAppSecurityType = "";
CustomAuthenticationFactors = @();
DeviceFilterRule = "";
DisplayName = "CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU";
Ensure = "Present";
ExcludeApplications = @();
ExcludeExternalTenantsMembers = @();
ExcludeExternalTenantsMembershipKind = "";
ExcludeGroups = @("AZGRP-CA-Exclusion-CA3017");
ExcludeLocations = @();
ExcludePlatforms = @();
ExcludeRoles = @();
ExcludeUsers = @("csgaadadm1@$OrganizationName","csgaadadm2@$OrganizationName");
GrantControlOperator = "OR";
Id = "34758e32-6333-42c4-ba71-f60b9e6fb19d";
IncludeApplications = @("None");
IncludeExternalTenantsMembers = @();
IncludeExternalTenantsMembershipKind = "";
IncludeGroups = @("AZGRP-CA-Persona-Guests");
IncludeLocations = @();
IncludePlatforms = @();
IncludeRoles = @();
IncludeUserActions = @();
IncludeUsers = @();
PersistentBrowserMode = "";
SignInFrequencyType = "";
SignInRiskLevels = @();
State = "enabledForReportingButNotEnforced";
TenantId = $OrganizationName;
TermsOfUse = "[TU01][Guest]";
#TransferMethods = "";
UserRiskLevels = @();
}
Verbose logs showing the problem
VERBOSE: [A92SW001PADX1AP]: LCM: [ Start Resource ] [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU]
VERBOSE: [A92SW001PADX1AP]: LCM: [ Start Test ] [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU]
VERBOSE: [A92SW001PADX1AP]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Testing configuration of AzureAD CA Policies
VERBOSE: [A92SW001PADX1AP]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Getting configuration of AzureAD Conditional Access Policy
VERBOSE: [A92SW001PADX1AP]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] PolicyID was specified
VERBOSE: [A92SW001PADX1AP]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Couldn't find existing policy by ID {34758e32-6333-42c4-ba71-f60b9e6fb19d}
VERBOSE: [A92SW001PADX1AP]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] No existing Policy with name {CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU} were found
VERBOSE: [A92SW001PADX1AP]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Current Values: ApplicationId=***
ApplicationsFilter=CustomSecurityAttribute.CAExlude_ConditionalAccessPolicies -contains "CA3017"
ApplicationsFilterMode=exclude
AuthenticationContexts=()
BuiltInControls=()
CertificateThumbprint=***
ClientAppTypes=(all)
CloudAppSecurityType=
CustomAuthenticationFactors=()
DeviceFilterRule=
DisplayName=CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU
Ensure=Absent
ExcludeApplications=()
ExcludeExternalTenantsMembers=()
ExcludeExternalTenantsMembershipKind=
ExcludeGroups=(AZGRP-CA-Exclusion-CA3017)
ExcludeLocations=()
ExcludePlatforms=()
ExcludeRoles=()
ExcludeUsers=([email protected],[email protected])
GrantControlOperator=OR
Id=34758e32-6333-42c4-ba71-f60b9e6fb19d
IncludeApplications=(None)
IncludeExternalTenantsMembers=()
IncludeExternalTenantsMembershipKind=
IncludeGroups=(AZGRP-CA-Persona-Guests)
IncludeLocations=()
IncludePlatforms=()
IncludeRoles=()
IncludeUserActions=()
IncludeUsers=()
PersistentBrowserMode=
SignInFrequencyType=
SignInRiskLevels=()
State=enabledForReportingButNotEnforced
TenantId=***
TermsOfUse=[TU01][Guest]
UserRiskLevels=()
Verbose=True
VERBOSE: [A92SW001PADX1AP]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Target Values: ApplicationId=***
ApplicationsFilter=CustomSecurityAttribute.CAExlude_ConditionalAccessPolicies -contains "CA3017"
ApplicationsFilterMode=exclude
AuthenticationContexts=()
BuiltInControls=()
CertificateThumbprint=***
ClientAppTypes=(all)
CloudAppSecurityType=
CustomAuthenticationFactors=()
DeviceFilterRule=
DisplayName=CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU
Ensure=Present
ExcludeApplications=()
ExcludeExternalTenantsMembers=()
ExcludeExternalTenantsMembershipKind=
ExcludeGroups=(AZGRP-CA-Exclusion-CA3017)
ExcludeLocations=()
ExcludePlatforms=()
ExcludeRoles=()
ExcludeUsers=([email protected],[email protected])
GrantControlOperator=OR
Id=34758e32-6333-42c4-ba71-f60b9e6fb19d
IncludeApplications=(None)
IncludeExternalTenantsMembers=()
IncludeExternalTenantsMembershipKind=
IncludeGroups=(AZGRP-CA-Persona-Guests)
IncludeLocations=()
IncludePlatforms=()
IncludeRoles=()
IncludeUserActions=()
IncludeUsers=()
PersistentBrowserMode=
SignInFrequencyType=
SignInRiskLevels=()
State=enabledForReportingButNotEnforced
TenantId=***
TermsOfUse=[TU01][Guest]
UserRiskLevels=()
Verbose=True
VERBOSE: [A92SW001PADX1AP]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Test-TargetResource returned False
VERBOSE: [A92SW001PADX1AP]: LCM: [ End Test ] [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] in 1.6720 seconds.
VERBOSE: [A92SW001PADX1AP]: LCM: [ Start Set ] [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU]
VERBOSE: [A92SW001PADX1AP]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Setting configuration of AzureAD Conditional Access Policy
VERBOSE: [A92SW001PADX1AP]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: Running Get-TargetResource
VERBOSE: [A92SW001PADX1AP]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Getting configuration of AzureAD Conditional Access Policy
VERBOSE: [A92SW001PADX1AP]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] PolicyID was specified
VERBOSE: [A92SW001PADX1AP]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Couldn't find existing policy by ID {34758e32-6333-42c4-ba71-f60b9e6fb19d}
VERBOSE: [A92SW001PADX1AP]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] No existing Policy with name {CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU} were found
VERBOSE: [A92SW001PADX1AP]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: Cleaning up parameters
VERBOSE: [A92SW001PADX1AP]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: Policy CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU Ensure Present
VERBOSE: [A92SW001PADX1AP]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: create Conditions object
VERBOSE: [A92SW001PADX1AP]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: create Application Condition object
VERBOSE: [A92SW001PADX1AP]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: process includeusers
VERBOSE: [A92SW001PADX1AP]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: process excludeusers
VERBOSE: [A92SW001PADX1AP]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: process includegroups
VERBOSE: [A92SW001PADX1AP]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Adding group to includegroups
VERBOSE: [A92SW001PADX1AP]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: process excludegroups
VERBOSE: [A92SW001PADX1AP]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Adding group to ExcludeGroups
VERBOSE: [A92SW001PADX1AP]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: process includeroles
VERBOSE: [A92SW001PADX1AP]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: process excluderoles
VERBOSE: [A92SW001PADX1AP]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: process includeGuestOrExternalUser
VERBOSE: [A92SW001PADX1AP]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: process excludeGuestsOrExternalUsers
VERBOSE: [A92SW001PADX1AP]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: process platform condition
VERBOSE: [A92SW001PADX1AP]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: setting platform condition to null
VERBOSE: [A92SW001PADX1AP]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: process include and exclude locations
VERBOSE: [A92SW001PADX1AP]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: process device filter
VERBOSE: [A92SW001PADX1AP]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: process risk levels and app types
VERBOSE: [A92SW001PADX1AP]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: UserRiskLevels:
VERBOSE: [A92SW001PADX1AP]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: SignInRiskLevels:
VERBOSE: [A92SW001PADX1AP]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: ClientAppTypes: all
VERBOSE: [A92SW001PADX1AP]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: authenticationFlows transferMethods:
VERBOSE: [A92SW001PADX1AP]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: Adding processed conditions
VERBOSE: [A92SW001PADX1AP]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: create and provision Grant Control object
VERBOSE: [A92SW001PADX1AP]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Gettign Terms of Use {[TU01][Guest]}
VERBOSE: [A92SW001PADX1AP]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: Adding processed grant controls
VERBOSE: [A92SW001PADX1AP]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: process session controls
VERBOSE: [A92SW001PADX1AP]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: create policy CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU
VERBOSE: [A92SW001PADX1AP]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Create Parameters:
VERBOSE: [A92SW001PADX1AP]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] conditions={applications={applicationFilter={mode=exclude
rule=CustomSecurityAttribute.CAExlude_ConditionalAccessPolicies -contains "CA3017"}
excludeApplications=()
includeApplications=(None)}
clientAppTypes=(all)
platforms=$null
signInRiskLevels=()
userRiskLevels=()
users={excludeGroups=(523d202a-1672-4eb6-bb98-9803e21b189a)
excludeRoles=()
excludeUsers=(ecf23ddd-2a4a-4866-b87e-d949acf101e3,c7e3e7f4-16a2-44a7-8e87-c4cd13db5dcb)
includeGroups=(f41bc314-a5f1-4e69-ac2a-11ec520c446f)
includeRoles=()
includeUsers=()}}
displayName=CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU
grantControls={operator=OR
termsOfUse=fc9ba7b9-95b0-4369-b761-53e21406de4d}
sessionControls=$null
state=enabledForReportingButNotEnforced
VERBOSE: [A92SW001PADX1AP]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] POST https://graph.microsoft.com/beta/identity/conditionalAccess/policies with 796-byte payload
VERBOSE: [A92SW001PADX1AP]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] received 552-byte response of content type application/json
VERBOSE: [A92SW001PADX1AP]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: Failed creating new policy
VERBOSE: [A92SW001PADX1AP]: [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: Finished processing Policy CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU
VERBOSE: [A92SW001PADX1AP]: LCM: [ End Set ] [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] in 30.9100 seconds.
VERBOSE: [A92SW001PADX1AP]: LCM: [ End Resource ] [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU]
Environment Information + PowerShell Version
OsName : Microsoft Windows Server 2019 Standard
OsOperatingSystemSKU : StandardServerEdition
OsArchitecture : 64-bit
WindowsVersion : 1809
WindowsBuildLabEx : 17763.1.amd64fre.rs5_release.180914-1434
OsLanguage : en-US
OsMuiLanguages : {en-US}
Name Value
---- -----
PSVersion 5.1.17763.5830
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.17763.5830
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
