msgraph-sdk-powershell
msgraph-sdk-powershell copied to clipboard
microsoftgraph
Update-MgIdentityConditionalAccessPolicy "1054: Invalid servicePrincipal value: ."
Describe the bug
When I try to remove all existing service principal IDs in selected conditional policy condition by defining IncludeServicePrincipals = '', it ends with an error.
I've tried to use: IncludeServicePrincipals = $null IncludeServicePrincipals = @()
but both tries ended with empty body a.k.a. nothing happened.
How am I suppose to select NONE then?
To Reproduce Steps to reproduce the behavior: $params = @{ Conditions = @{ ClientApplications = @{ IncludeServicePrincipals = '' } } }
Update-MgIdentityConditionalAccessPolicy -ConditionalAccessPolicyId <idofsomeCA> -Conditions $params.Conditions -debug
Expected behavior Existing service principals defined in such conditional policy should be remove.
Debug Output
Run the problematic command with
-Debugand paste the resulting debug stream below. ⚠ ATTENTION: Be sure to remove any sensitive information that may be in the logs.
Module Version
Please run
Get-Module Microsoft.Graph*after cmdlet execution and paste the output below. If a module cannot be installed or imported, please runGet-Module -ListAvailableand paste the output.
Environment Data
Please run
$PSVersionTableand paste the output below. If running the Docker container image, indicate the tag of the image used and the version of Docker engine.
Screenshots
If applicable, add screenshots to help explain your problem.
Additional context
Add any other context about the problem here.
I've been looking through some of the API doco, but am still not confident with my answer. The doco (such as this page here: https://learn.microsoft.com/en-us/graph/api/resources/conditionalaccessconditionset?view=graph-rest-1.0), suggests that there are some pre-built terms (such as browser, mobileAppsAndDesktopClients, high, medium, low etc.)
As a thought...have you tried using includeServicePrincipals = "none"
I haven't gone down enough to look at the API spec to see exactly what it is looking for though.
I've been looking through some of the API doco, but am still not confident with my answer. The doco (such as this page here: https://learn.microsoft.com/en-us/graph/api/resources/conditionalaccessconditionset?view=graph-rest-1.0), suggests that there are some pre-built terms (such as browser, mobileAppsAndDesktopClients, high, medium, low etc.)
As a thought...have you tried using includeServicePrincipals = "none"
I haven't gone down enough to look at the API spec to see exactly what it is looking for though.
Problem is I am trying to set "clientApplications" which has no such option.
Btw I've found how to select "NONE" using the following code
$body = '{
"conditions": {
"clientApplications": null
}
}'
Invoke-MgGraphRequest -Method PATCH -Uri "https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies/$blockCAId" -Body $body
But question is still same, how can I achieve this using native Update-MgIdentityConditionalAccessPolicy command?
I'm looking back at the original code you wrote and comparing it to what worked using the Invoke-MgGraphRequest
$params = @{
Conditions = @{
ClientApplications = @{
IncludeServicePrincipals = ''
}
}
}
vs
$body = '{
"conditions": {
"clientApplications": null
}
}'
I can see that in the one which worked, you've dropped the IncludeServicePrincipals, and are just using "clientApplications". Consequently, were you not able to get this working by doing:
$params = @{
Conditions = @{
ClientApplications = "null"
}
}
Update-MgIdentityConditionalAccessPolicy -ConditionalAccessPolicyId -Conditions $params.Conditions
I've tried various parameter options but every time the send request body was empty which I believe is the problem. That the function Update-MgIdentityConditionalAccessPolicy thinks there is nothing to change.