msgraph-sdk-powershell
msgraph-sdk-powershell copied to clipboard
microsoftgraph
Bug in "Update-MgPolicyDefaultAppManagementPolicy"? - restrictionType "customPasswordAddition" and "symmetricKeyAddition" is null even if set?
Describe the bug
I feel this is so strange - no errors when parseing the content via cmdlet "Update-MgPolicyDefaultAppManagementPolicy" in PowerShell, and as I see it Entra ID Auditlog also shows it right...
And when I looking in docs at https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.identity.signins/update-mgpolicydefaultappmanagementpolicy?view=graph-powershell-1.0 it should work just fine....
Working on a small tool as I shared a teaser here: https://www.linkedin.com/feed/update/urn:li:activity:7337869500135919617/ aka "Entra ID Application Policy Manager" so this type of errors is a bit enoying as it breaks stuff for people there is useing Entra ID Application Management Policies...
Tested here with: 2.28.0 Microsoft.Graph.Applications 2.28.0 Microsoft.Graph.Authentication 2.28.0 Microsoft.Graph.Identity.SignIns
Will test other too soon and update here!
Expected behavior
I exprect the values set, it not returned at "null" if etc. set to P40D or so.
How to reproduce
- run this to parse it to Graph (will not show any errors):
$params = @{
isEnabled = $true
applicationRestrictions = @{
passwordCredentials = @(
@{
restrictionType = "passwordAddition"
maxLifetime = $null
restrictForAppsCreatedAfterDateTime = [System.DateTime]::Parse("2021-01-01T10:37:00Z")
}
@{
restrictionType = "passwordLifetime"
maxLifetime = "P40D"
restrictForAppsCreatedAfterDateTime = [System.DateTime]::Parse("2017-01-01T10:37:00Z")
}
@{
restrictionType = "symmetricKeyAddition"
maxLifetime = "P40D"
restrictForAppsCreatedAfterDateTime = [System.DateTime]::Parse("2021-01-01T10:37:00Z")
}
@{
restrictionType = "customPasswordAddition"
maxLifetime = "P40D"
restrictForAppsCreatedAfterDateTime = [System.DateTime]::Parse("2015-01-01T10:37:00Z")
}
@{
restrictionType = "symmetricKeyLifetime"
maxLifetime = "P40D"
restrictForAppsCreatedAfterDateTime = [System.DateTime]::Parse("2015-01-01T10:37:00Z")
}
)
keyCredentials = @(
@{
restrictionType = "asymmetricKeyLifetime"
maxLifetime = "P30D"
restrictForAppsCreatedAfterDateTime = [System.DateTime]::Parse("2015-01-01T10:37:00Z")
}
)
}
}
Update-MgPolicyDefaultAppManagementPolicy -BodyParameter $params
- Check if the settings is set - both via Entra ID Audit log like here:
and via etc. https://developer.microsoft.com/en-us/graph/graph-explorer with a GET call to "https://graph.microsoft.com/v1.0/policies/defaultAppManagementPolicy" - here you will see this for the above code:
- Done - the policy is set in Entra ID - but the 2 parts customPasswordAddition and symmetricKeyAddition is not set - the rest are... This is tested for applicationRestrictions for now (will test more)
SDK Version
2.28.0
Latest version known to work for scenario above?
No response
Known Workarounds
No response
Debug output
Click to expand log
``` Update-MgPolicyDefaultAppManagementPolicy -BodyParameter $params -Verbose VERBOSE: Performing the operation "Update-MgPolicyDefaultAppManagementPolicy_Update" on target "Call remote 'PATCH /policies/defaultAppManagementPolicy' operation". ```Configuration
$PSVersionTable
Name Value
---- -----
PSVersion 5.1.26100.4061
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.26100.4061
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
Windows 11 26100.3983, x64
Other information
This bug is reported back in the channels I have too as a Microsoft MVP and as a member of the CCP Communities..
Tested via Invoke-MgGraphRequest -Method GET https://graph.microsoft.com/v1.0/policies/defaultAppManagementPolicy -OutputType Json too - and I getting the same output with "null" in it even if I pass content there via PATCH and so:
And that is after I was running:
# Prepare the body as a hashtable (dates as ISO 8601 strings)
$body = @{
isEnabled = $true
applicationRestrictions = @{
passwordCredentials = @(
@{
restrictionType = "passwordAddition"
maxLifetime = $null
restrictForAppsCreatedAfterDateTime = "2021-01-01T10:37:00Z"
}
@{
restrictionType = "passwordLifetime"
maxLifetime = "P40D"
restrictForAppsCreatedAfterDateTime = "2017-01-01T10:37:00Z"
}
@{
restrictionType = "symmetricKeyAddition"
maxLifetime = "P40D"
restrictForAppsCreatedAfterDateTime = "2021-01-01T10:37:00Z"
}
@{
restrictionType = "customPasswordAddition"
maxLifetime = "P40D"
restrictForAppsCreatedAfterDateTime = "2015-01-01T10:37:00Z"
}
@{
restrictionType = "symmetricKeyLifetime"
maxLifetime = "P40D"
restrictForAppsCreatedAfterDateTime = "2015-01-01T10:37:00Z"
}
)
keyCredentials = @(
@{
restrictionType = "asymmetricKeyLifetime"
maxLifetime = "P30D"
restrictForAppsCreatedAfterDateTime = "2015-01-01T10:37:00Z"
}
)
}
}
# Convert body to JSON
$jsonBody = $body | ConvertTo-Json -Depth 5
# Send PATCH request
Invoke-MgGraphRequest `
-Method PATCH `
-Uri "https://graph.microsoft.com/v1.0/policies/defaultAppManagementPolicy" `
-Body $jsonBody `
-ContentType "application/json"
So the backend itself is a bit broken as I see it..