msgraph-sdk-powershell icon indicating copy to clipboard operation
msgraph-sdk-powershell copied to clipboard
verified publisher icon microsoftgraph

Get-MgIdentityConditionalAccessPolicy does not show all IncludeGuestsOrExternalUsers properties

Open noendscripting opened this issue 1 year ago • 0 comments

Thanks for reporting the bug. Please ensure you've gone through the following checklist before opening an issue:

  • Make sure you can reproduce this issue using the latest released version of Microsoft.Graph or Microsoft.Graph.Beta.
  • Please search the existing issues to see if there has been a similar issue filed.
  • For issues related to authentication and service errors, please refer to our troubleshooting guide. For service issues, please open a question at https://developer.microsoft.com/graph/support.

Describe the bug

IncludeGuestsOrExternalUsers in users condition has an "extenalTenant" class that has two states. If "All" tenants is selected that only "membershipKind" property is populated . but if you want only select specific tenants a new property is added an array called members where selected tenant ids are listed. SDK is not aware of the members property. When command is run with debug switch, it picks up the whole "extenalTenant" classes To Reproduce Steps to reproduce the behavior:

  1. Execute Get-MgIdentityConditionalAccessPolicy -Filter "id eq ''" -Debug and save in a variable
  2. Navigate to ExternalTenants class using variable with saved data , it shows only one property C:\Github\azuredeploy\azuredeploy> $policytest2.Conditions.Users.IncludeGuestsOrExternalUsers.ExternalTenants

MembershipKind

enumerated Expected behavior

Output should show all properties of the ExternalTenants if tenant selection is used

Debug Output

$policytest2 = Get-MgIdentityConditionalAccessPolicy -Filter "id eq 'a3a242ac-ccd8-41b6-8c7f-dd1c631d3af0'" -Debug [CmdletBeginProcessing]: - Get-MgIdentityConditionalAccessPolicy begin processing with parameterSet 'List'. [Authentication]: - AuthType: 'Delegated', TokenCredentialType: 'InteractiveBrowser', ContextScope: 'CurrentUser', AppName: 'Microsoft Graph Command Line Tools'. [Authentication]: - Scopes: [Application.Read.All, AuditLog.Read.All, Device.ReadWrite.All, DeviceManagementApps.ReadWrite.All, DeviceManagementConfiguration.ReadWrite.All, DeviceManagementManagedDevices.Read.All, DeviceManagementManagedDevices.ReadWrite.All, DeviceManagementRBAC.ReadWrite.All, DeviceManagementServiceConfig.ReadWrite.All, Directory.AccessAsUser.All, Directory.Read.All, Domain.ReadWrite.All, Group.ReadWrite.All, GroupMember.Read.All, GroupMember.ReadWrite.All, IdentityRiskEvent.Read.All, IdentityRiskyUser.Read.All, openid, Policy.Read.All, Policy.ReadWrite.ConditionalAccess, profile, Reports.Read.All, User.Read, User.Read.All, User.ReadWrite.All, UserAuthenticationMethod.Read.All, email]. ============================ HTTP REQUEST ============================

HTTP Method: GET

Absolute Uri: https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies?$filter=id eq %27a3a242ac-ccd8-41b6-8c7f-dd1c631d3af0%27

Headers: FeatureFlag : 00000043 Cache-Control : no-store, no-cache User-Agent : Mozilla/5.0,(Windows NT 10.0; Microsoft Windows 10.0.22631; en-US),PowerShell/2024.0.0 Accept-Encoding : gzip SdkVersion : graph-powershell/2.16.0 client-request-id : 60e83dc8-438c-4143-9f47-e196e59c15aa

Body:

============================ HTTP RESPONSE ============================

Status Code: OK

Headers: Cache-Control : no-cache Vary : Accept-Encoding Strict-Transport-Security : max-age=31536000 request-id : 23b6a4d4-5340-4d2a-a32a-03387964f55a client-request-id : 60e83dc8-438c-4143-9f47-e196e59c15aa x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"East US 2","Slice":"E","Ring":"5","ScaleUnit":"003","RoleInstance":"BN5PEPF00013565"}} odata-version : 4.0 Date : Mon, 08 Apr 2024 14:14:44 GMT

Body: { "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#identity/conditionalAccess/policies", "value": [ { "id": "a3a242ac-ccd8-41b6-8c7f-dd1c631d3af0", "templateId": null, "displayName": "Azure Portal MFA", "createdDateTime": null, "modifiedDateTime": "2024-04-05T21:07:31.5517677Z", "state": "disabled", "sessionControls": null, "conditions": { "userRiskLevels": [], "signInRiskLevels": [ "high", "none" ], "clientAppTypes": [ "browser", "mobileAppsAndDesktopClients" ], "servicePrincipalRiskLevels": [], "platforms": null, "locations": null, "clientApplications": null, "applications": { "includeApplications": [], "excludeApplications": [], "includeUserActions": [], "includeAuthenticationContextClassReferences": [ "c1" ], "applicationFilter": null }, "users": { "includeUsers": [], "excludeUsers": [], "includeGroups": [], "excludeGroups": [], "includeRoles": [], "excludeRoles": [], "excludeGuestsOrExternalUsers": null, "includeGuestsOrExternalUsers": { "guestOrExternalUserTypes": "internalGuest,b2bCollaborationGuest,b2bCollaborationMember,b2bDirectConnectUser,otherExternalUser,serviceProvider", "externalTenants": { "@odata.type": "#microsoft.graph.conditionalAccessEnumeratedExternalTenants", "membershipKind": "enumerated", "members": [ "7ba7da43-3602-445b-984e-c724c4fcc84d" ] } } }, "devices": { "deviceFilter": { "mode": "include", "rule": "device.displayName -startsWith "ugabooga" -or device.enrollmentProfileName -eq "deny" -and device.isCompliant -eq True" } } }, "grantControls": { "operator": "OR", "builtInControls": [ "mfa" ], "customAuthenticationFactors": [], "termsOfUse": [], "[email protected]": "https://graph.microsoft.com/v1.0/$metadata#identity/conditionalAccess/policies('a3a242ac-ccd8-41b6-8c7f-dd1c631d3af0')/grantControls/authenticationStrength/$entity", "authenticationStrength": null } } ] } Module Version

ModuleType Version PreRelease Name ExportedCommands

Script 2.16.0 Microsoft.Graph.Applications {Add-MgApplicationKey, Add-MgApplicationPassword, Add-MgServicePrincipalKey, Add-MgServicePrincipalPassword…} Script 2.16.0 Microsoft.Graph.Authentication {Add-MgEnvironment, Connect-MgGraph, Disconnect-MgGraph, Get-MgContext…} Script 2.16.0 Microsoft.Graph.DirectoryObjects {Confirm-MgDirectoryObjectMemberGroup, Confirm-MgDirectoryObjectMemberObject, Get-MgDirectoryObject, Get-MgDirectory… Script 2.16.0 Microsoft.Graph.Groups {Add-MgGroupDriveListContentTypeCopy, Add-MgGroupDriveListContentTypeCopyFromContentTypeHub, Add-MgGroupFavorite, Ad… Script 2.16.0 Microsoft.Graph.Identity.SignIns {Confirm-MgRiskyServicePrincipalCompromised, Confirm-MgRiskyUserCompromised, Get-MgDataPolicyOperation, Get-MgDataPo… Script 2.16.0 Microsoft.Graph.Users {Get-MgUser, Get-MgUserCount, Get-MgUserCreatedObject, Get-MgUserCreatedObjectAsServicePrincipal…}

Environment Data

Name Value

PSVersion 7.4.1 PSEdition Core GitCommitId 7.4.1 OS Microsoft Windows 10.0.22631 Platform Win32NT PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…} PSRemotingProtocolVersion 2.3 SerializationVersion 1.1.0.1 WSManStackVersion 3.0

Screenshots

If applicable, add screenshots to help explain your problem.

Additional context

Add any other context about the problem here.

noendscripting avatar Apr 08 '24 14:04 noendscripting