microsoft
Error on PR Validation for Conditional Access Policies
Description of the issue
According to the example file (M365ConfigurationDataExample.psd1) the section for conditional access policies should look like:
ConditionalAccessPolicies = @( @{ TransferMethods = 'String | Optional | Names of the associated authentication flow transfer methods. Possible values are '''', ''deviceCodeFlow'', ''authenticationTransfer'', or ''deviceCodeFlow,authenticationTransfer''.' PersistentBrowserIsEnabled = 'Boolean | Optional | Specifies, whether Browser Persistence is controlled by the Policy.'
However when I commit this and it runs the PR validation, I see:
Running tests from 'C:\Users\VssAdministrator\AppData\Local\Temp\tmpfklx3t.tests.ps1' Describing --- Check M365-DSC-CompositeResources configuration --- Context NonNodeData Context NonNodeData.AADConditionalAccessPolicy ##[error] [-] NonNodeData.AADConditionalAccessPolicy 45ms (42ms|4ms) ##[error] Expected $null or empty, because Not available as Composite Resource, but got @(System.Collections.Hashtable, System.Collections.Hashtable, System.Collections.Hashtable, System.Collections.Hashtable, System.Collections.Hashtable, System.Collections.Hashtable, System.Collections.Hashtable, System.Collections.Hashtable, System.Collections.Hashtable, System.Collections.Hashtable, ...4 more). ##[error] at $inputObject.NonNodeData.AADConditionalAccessPolicy | Should -BeNullOrEmpty -Because 'Not available as Composite Resource', C:\Users\VssAdministrator\AppData\Local\Temp\tmpfklx3t.tests.ps1:8 ##[error] [-] NonNodeData.AADConditionalAccessPolicy[0] 7ms (6ms|1ms) ##[error] Expected $null or empty, because Not available as Composite Resource, but got System.Collections.Hashtable. ##[error] at $inputObject.NonNodeData.AADConditionalAccessPolicy[0] | Should -BeNullOrEmpty -Because 'Not available as Composite Resource', C:\Users\VssAdministrator\AppData\Local\Temp\tmpfklx3t.tests.ps1:11 ##[error] [-] NonNodeData.AADConditionalAccessPolicy[1] 3ms (2ms|1ms)
Microsoft 365 DSC Version
1.25.129.3
Which workloads are affected
Azure Active Directory (Entra ID)
The DSC configuration
@{
NonNodeData = @{
ConditionalAccessPolicies = @(
@{
ApplicationEnforcedRestrictionsIsEnabled = $False
AuthenticationContexts = @()
BuiltInControls = @('block')
ClientAppTypes = @('exchangeActiveSync', 'other')
CloudAppSecurityIsEnabled = $False
CloudAppSecurityType = ''
CustomAuthenticationFactors = @()
DeviceFilterRule = ''
DisableResilienceDefaultsIsEnabled = $False....
Etc.
Verbose logs showing the problem
##[error] [-] NonNodeData.AADConditionalAccessPolicy[8] 3ms (2ms|1ms)
##[error] Expected $null or empty, because Not available as Composite Resource, but got System.Collections.Hashtable.
##[error] at $inputObject.NonNodeData.AADConditionalAccessPolicy[8] | Should -BeNullOrEmpty -Because 'Not available as Composite Resource', C:\Users\VssAdministrator\AppData\Local\Temp\tmpfklx3t.tests.ps1:35
##[error] [-] NonNodeData.AADConditionalAccessPolicy[9] 3ms (2ms|1ms)
##[error] Expected $null or empty, because Not available as Composite Resource, but got System.Collections.Hashtable.
##[error] at $inputObject.NonNodeData.AADConditionalAccessPolicy[9] | Should -BeNullOrEmpty -Because 'Not available as Composite Resource', C:\Users\VssAdministrator\AppData\Local\Temp\tmpfklx3t.tests.ps1:38
##[error] [-] NonNodeData.AADConditionalAccessPolicy[10] 2ms (2ms|0ms)
##[error] Expected $null or empty, because Not available as Composite Resource, but got System.Collections.Hashtable.
##[error] at $inputObject.NonNodeData.AADConditionalAccessPolicy[10] | Should -BeNullOrEmpty -Because 'Not available as Composite Resource', C:\Users\VssAdministrator\AppData\Local\Temp\tmpfklx3t.tests.ps1:41
##[error] [-] NonNodeData.AADConditionalAccessPolicy[11] 3ms (2ms|1ms)
##[error] Expected $null or empty, because Not available as Composite Resource, but got System.Collections.Hashtable.
##[error] at $inputObject.NonNodeData.AADConditionalAccessPolicy[11] | Should -BeNullOrEmpty -Because 'Not available as Composite Resource', C:\Users\VssAdministrator\AppData\Local\Temp\tmpfklx3t.tests.ps1:44
##[error] [-] NonNodeData.AADConditionalAccessPolicy[12] 13ms (12ms|1ms)
##[error] Expected $null or empty, because Not available as Composite Resource, but got System.Collections.Hashtable.
##[error] at $inputObject.NonNodeData.AADConditionalAccessPolicy[12] | Should -BeNullOrEmpty -Because 'Not available as Composite Resource', C:\Users\VssAdministrator\AppData\Local\Temp\tmpfklx3t.tests.ps1:47
##[error] [-] NonNodeData.AADConditionalAccessPolicy[13] 2ms (2ms|1ms)
##[error] Expected $null or empty, because Not available as Composite Resource, but got System.Collections.Hashtable.
##[error] at $inputObject.NonNodeData.AADConditionalAccessPolicy[13] | Should -BeNullOrEmpty -Because 'Not available as Composite Resource', C:\Users\VssAdministrator\AppData\Local\Temp\tmpfklx3t.tests.ps1:50
Tests completed in 425ms
Tests Passed: 0, Failed: 15, Skipped: 0, Inconclusive: 0, NotRun: 0
Environment Information + PowerShell Version
Azure DevOps.
Seconding this, did we get any update since?
I have not heard anything since logging. Was a shame too; we really wanted to implement this.
This is because of the change in the schema. Since the first release of April, we have changed the schema. Before we used plural naming, but now we are using the exact name of the DSC resource. So before it was named ConditionalAccessPolicies (plural) and now it is named ConditionalAccessPolicy (singular).
The reason that we make this change was that this makes scripting in other places so much easier.
To fix the issue: Check your data file and compare the resource names against the resource names in our documentation. Then just remove the workload prefix (AAD for Azure AD, Intune for Intune, etc.).
FYI: When you have downloaded the M365DSC.CompositeResources module, you can use the New-M365DSCExampleDataFile cmdlet to extract a file that defines the schema to a location you specify in the OutputPath parameter.
This schema lists all allowed DSC resource and parameter names.