Updating a CA policy with: "condition" including "all states" and excluding "Compliant","DomainJoined" generates error

[WilliamOverweg]

An example policy from the repository to replicate the error is: "Data protection - All apps No persistent browser session When on untrusted device"

Creating this policy works without any issues.

When deploying the same policy again, it generates the following error:

` Invoke-RestMethod : { "error": { "code": "BadRequest", "message": "The server could not process the request because it is malformed or incorrect.", "innerError": { "message": "1060: 'deviceStates' and 'devices' conditions cannot be set together. For examples, please see API documentation at https://docs.microsoft.com/en-us/graph/api/conditionalaccesspolicy-update?view=graph-rest-beta.", "request-id": "9bbe13e1-999d-42f9-8d11-448acd907502", "date": "2020-04-28T10:41:12" } } } At C:\Source\VSTS\POR\ConditionalAccess-master\Deploy-Policies.ps1:172 char:40

• ... yResponse = Invoke-RestMethod -Method Patch -Uri $conditionalAccessUR ...

• 
  + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
  + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand

`

Any idea how to resolve this issue? Thanks!

[AlexFilipin]

@WilliamOverweg Did you make any changes to the JSON? Could you please post the JSON you are trying to import/update and I will take a look

[WilliamOverweg]

Thanks for the quick response.

This section doesnt allow upload of JSON files so i will post the file as a .txt file. JSON With Device States.txt

[AlexFilipin]

I will take a look this afternoon (after 7PM its 2PM here atm) I am anyways trying to plan a update for the update logic and introduce a option for ring based deployments

[WilliamOverweg]

Thanks a lot! Looking forward to your findings and update.

[AlexFilipin]

I believe you are using "deviceStates" instead of "devices". I just replicated your policy with the GUI and exported it via Graph Explorer and it looks like this. JSON.With.Device.States2.json.txt

[AlexFilipin]

Actually that might be a recent change to the BETA graph API's the policies in the repository are also using "deviceStates" e.g. https://github.com/AlexFilipin/ConditionalAccess/blob/master/PolicyRepository/Data%20protection/Data%20protection%20-%20All%20apps%20No%20persistent%20browser%20session%20When%20on%20untrusted%20device.json

I will take more detailed look when i find time this week and keep the issue open - in the meantime give it a try with "devices" instead of "devicestates"

[WilliamOverweg]

I can confirm proper updating the policy when using the Devices parameters from the JSON you supplied:

"devices": { "includeDeviceStates": [ "All" ], "excludeDeviceStates": [ "Compliant", "DomainJoined" ]

Awesome! Thanks a lot.

[AlexFilipin]

Updated the policy repository as part of release V1.1 to switch from "devicestates" to "devices" https://github.com/AlexFilipin/ConditionalAccess/wiki/Release-History#v11