sign_in_frequency 'Every time' parameter

[cbshapil]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

The Conditional Access Policy resource is missing the sign_in_frequency 'Every time' parameter in the session_controls block.

Affected Resource(s)

• azuread_conditional_access_policy

References

• N/A

[cbshapil]

conditions {
    client_app_types              = [
        "all",
    ]
    service_principal_risk_levels = []
    sign_in_risk_levels           = []
    user_risk_levels              = [
        "high",
        "medium",
    ]

    applications {
        excluded_applications = []
        included_applications = [
            "All",
        ]
    }

    users {
        excluded_groups = [
            "956c7c1d-eeb8-454b-aaca-938e97b2ff56"
        ]
        excluded_roles  = []
        excluded_users  = []
        included_groups = [
            "35ac2a9a-0d74-42e1-6t73-e0bdae507ae1",
        ]
        included_roles  = []
        included_users  = []
    }
}

grant_controls {
    built_in_controls             = [
        "mfa",
        "passwordChange",
    ]
    custom_authentication_factors = []
    operator                      = "AND"
    terms_of_use                  = []
}

session_controls {
    sign_in_frequency_authentication_type     = "primaryAndSecondaryAuthentication"
    sign_in_frequency_interval                = "everyTime"
}

The above policy creation fails with the following error (even though the applicationEnforcedRestrictions and disableResilienceDefaults parameters are not specified):

azuread_conditional_access_policy.CADev: Creating... ╷ │ Error: Could not create conditional access policy │ │ with azuread_conditional_access_policy.CADev, │ on CADev.tf line 10, in resource "azuread_conditional_access_policy" "CADev": │ 10: resource "azuread_conditional_access_policy" "CADev" { │ │ ConditionalAccessPoliciesClient.BaseClient.Post(): unexpected status 400 with OData error: BadRequest: 1115: The specified session controls, │ 'applicationEnforcedRestrictions, disableResilienceDefaults', are not supported with the password change control; only signInFrequency every time │ is supported. For examples, please see the API documentation at │ https://docs.microsoft.com/en-us/graph/api/conditionalaccessroot-post-policies?view=graph-rest-1.0.

A similar policy created in Microsoft Graph including the "isEnabled" parameter works. Looks like support for this property is required too. I believe this property is the equivalent to ticking the "Sign-in frequency" tickbox in the portal experience.

"signInFrequency": { "value": null, "type": null, "authenticationType": "primaryAndSecondaryAuthentication", "frequencyInterval": "everyTime", "isEnabled": true }

[ngrande]

Ran into the same issue here.

resource "azuread_conditional_access_policy" "require_pw_change_for_risky_users" {
  display_name = "Require Password Change For Risky Users"
  state        = "enabledForReportingButNotEnforced"
  #state = "enabled"

  conditions {
    client_app_types              = ["all"]
    service_principal_risk_levels = []
    sign_in_risk_levels           = []
    user_risk_levels              = ["high"]

    applications {
      included_applications = ["All"]
    }

    users {
      excluded_groups = [azuread_group.group_XYZ.id]
      included_users  = ["All"]
    }
  }
  grant_controls {
    operator          = "AND"
    built_in_controls = ["mfa", "passwordChange"]
  }

  session_controls {
    sign_in_frequency_interval = "everyTime"
  }
}

Results in the error

│ Error: Could not update conditional access policy with ID: "a57a2b3b-91aa-4256-b186-99533616da36"
│ 
│   with azuread_conditional_access_policy.require_pw_change_for_risky_users,
│   on conditional_access.tf line 85, in resource "azuread_conditional_access_policy" "require_pw_change_for_risky_users":
│   85: resource "azuread_conditional_access_policy" "require_pw_change_for_risky_users" {
│ 
│ ConditionalAccessPoliciesClient.BaseClient.Patch(): unexpected status 400 with OData error: BadRequest: 1115: The specified session controls,
│ 'applicationEnforcedRestrictions, disableResilienceDefaults', are not supported with the password change control; only signInFrequency every time is supported. For examples,
│ please see the API documentation at https://docs.microsoft.com/en-us/graph/api/conditionalaccesspolicy-update?view=graph-rest-1.0.

[goldjg]

Hitting this same issue just now, has been driving me nuts. Sort of glad I can confirm it's not a problem between keyboard and chair :-) But as I'm trying to move all of our CA to being as code through Terraform, this is a major blocker :(

Has anyone found a workaround?

[ngrande]

I don't think there is a workaround that is feasible at the moment. What I did to still have everything as code and not be blocked with our setup with terraform was to configure it via the portal and import it into the state and code. At least this way I can see the config in code, but it's obviously not possible to adjust this particular config via terraform (you will just get the same error again).

[manicminer]

Reopening this as there are clearly still some issues with building incompatible fields in policies.

Fortunately, we have just switched over to using a new SDK which will make it possible to have more fine-grained logic here.

[uniQuk]

I'm having the same issue with azuread 3.0.1. When passwordChange is set in grant controls. ""Require password change" can only be used with sign-in frequency of "Every time". The relevent json in the template:

"grantControls": {
        "operator": "AND",
        "builtInControls": [
            "mfa",
            "passwordChange"
        ],
        "customAuthenticationFactors": [],
        "termsOfUse": [],
        "authenticationStrength@odata.context": "https://graph.microsoft.com/beta/$metadata#conditionalAccess/templates('634b6de7-c38d-4357-a2c7-3842706eedd7')/details/grantControls/authenticationStrength/$entity",
        "authenticationStrength": null
    },
    "sessionControls": {
        "disableResilienceDefaults": null,
        "applicationEnforcedRestrictions": null,
        "cloudAppSecurity": null,
        "persistentBrowser": null,
        "continuousAccessEvaluation": null,
        "secureSignInSession": null,
        "networkAccessSecurity": null,
        "globalSecureAccessFilteringProfile": null,
        "signInFrequency": {
            "value": null,
            "type": null,
            "authenticationType": "primaryAndSecondaryAuthentication",
            "frequencyInterval": "everyTime",
            "isEnabled": true
        }
    }

When importing the policy into state:

"session_controls": [
              {
                "application_enforced_restrictions_enabled": false,
                "cloud_app_security_policy": "",
                "disable_resilience_defaults": false,
                "persistent_browser_mode": "",
                "sign_in_frequency": 0,
                "sign_in_frequency_authentication_type": "primaryAndSecondaryAuthentication",
                "sign_in_frequency_interval": "everyTime",
                "sign_in_frequency_period": ""
              }

You essentially end up in a loop where you either get a Missing argument error:

│ "session_controls.0.sign_in_frequency": all of session_controls.0.sign_in_frequency,session_controls.0.sign_in_frequency_period must be specified

Or you have to set the frequency period to days or hours:

Error: expected session_controls.0.sign_in_frequency_period to be one of ["days" "hours"]

Or when you set frequency then you get the error as previously reported:

│ unexpected status 400 (400 Bad Request) with error: BadRequest: 1115: The specified session controls, 'applicationEnforcedRestrictions, disableResilienceDefaults', are  
│ not supported with the password change control; only signInFrequency every time is supported. For examples, please see the API documentation at
│ https://docs.microsoft.com/en-us/graph/api/conditionalaccessroot-post-policies?view=graph-rest-1.0.