Open cbshapil opened 10 months ago
Is there a workaround for this bug?
Not at this time, but I am working on improving the azuread_conditional_access_policy
resource and hope to squash this bug soon.
@GokanDonmez Whilst I've been able to reproduce this, adding "isEnabled": true
to the sessionControls
object still produces the same 400 error for me?
{
"conditions": {
"applications": {
"includeApplications": [
"All"
],
"excludeApplications": [],
"includeUserActions": []
},
"clientAppTypes": [
"all"
],
"devices": null,
"locations": null,
"platforms": null,
"servicePrincipalRiskLevels": [],
"signInRiskLevels": [],
"userRiskLevels": [
"high",
"medium"
],
"users": {
"includeUsers": ["none"],
"excludeUsers": [],
"includeGroups": [],
"excludeGroups": [],
"includeRoles": [],
"excludeRoles": [],
"includeGuestsOrExternalUsers": null,
"excludeGuestsOrExternalUsers": null
}
},
"displayName": "acctest-CONPOLICY-240611180728063403",
"grantControls": {
"operator": "AND",
"builtInControls": [
"mfa",
"passwordChange"
],
"customAuthenticationFactors": [],
"termsOfUse": []
},
"sessionControls": {
"applicationEnforcedRestrictions": {
"isEnabled": false
},
"cloudAppSecurity": null,
"disableResilienceDefaults": false,
"persistentBrowser": null,
"signInFrequency": {
"authenticationType": "primaryAndSecondaryAuthentication",
"frequencyInterval": "everyTime",
"isEnabled": true
}
},
"state": "disabled"
}
{
"error": {
"code": "BadRequest",
"message": "1115: The specified session controls, 'applicationEnforcedRestrictions, disableResilienceDefaults', are not supported with the password change control; only signInFrequency every time is supported. For examples, please see the API documentation at https://docs.microsoft.com/en-us/graph/api/conditionalaccessroot-post-policies?view=graph-rest-1.0.",
"innerError": {
"date": "2024-06-11T17:08:43",
"request-id": "366029ae-0af1-47e2-8553-af6761d672f4",
"client-request-id": "366029ae-0af1-47e2-8553-af6761d672f4"
}
}
}
Same issue at our side, would love a quick fix for it.
Hitting this same issue just now, has been driving me nuts. Sort of glad I can confirm it's not a problem between keyboard and chair :-) But as I'm trying to move all of our CA to being as code through Terraform, this is a major blocker :(
Has anyone found a workaround?
Community Note
Affected Resource(s)
azuread_conditional_access_policy
Terraform Configuration Files
Actual Behavior
The above policy creation fails with the following error (even though the applicationEnforcedRestrictions and disableResilienceDefaults parameters are not specified):
azuread_conditional_access_policy.CADev: Creating... β· β Error: Could not create conditional access policy β β with azuread_conditional_access_policy.CADev, β on CADev.tf line 10, in resource "azuread_conditional_access_policy" "CADev": β 10: resource "azuread_conditional_access_policy" "CADev" { β β ConditionalAccessPoliciesClient.BaseClient.Post(): unexpected status 400 with OData error: BadRequest: 1115: The specified session controls, β 'applicationEnforcedRestrictions, disableResilienceDefaults', are not supported with the password change control; only signInFrequency every time β is supported. For examples, please see the API documentation at β https://docs.microsoft.com/en-us/graph/api/conditionalaccessroot-post-policies?view=graph-rest-1.0.
A similar policy created in Microsoft Graph including the "isEnabled" parameter works fine.
Here's a snippit from the policy created using Microsoft Graph:
"signInFrequency": { "value": null, "type": null, "authenticationType": "primaryAndSecondaryAuthentication", "frequencyInterval": "everyTime", "isEnabled": true }
References