Open garretth9 opened 1 week ago
Hi @garretth9, thanks for reporting this issue. I have been able to reproduce this error and spotted a bug in the provider that could be causing this. However, after reworking the request to look like it should, I was still getting the same error.
I could not immediately see another cause for the problem, so I went to the Portal and discovered that it is using the beta (non-production) API for Conditional Access - at least in the case of setting signInFrequencyInterval: "everyTime"
. Once I amended the (fixed-up) request to use the beta API, it worked perfectly.
It seems the stable (v1.0) API may have stopped supporting this setting, which if this is the case, would be a breaking API change. The documentation does list this setting as supported in the v1.0 API, which would indicate that this is supposed to work.
I'll open a PR to fix the incorrect logic around session controls, but we will need to figure out what is happening with the stable API before we could merge it. We can unfortunately not use the beta API at this time (even partially), as the Conditional Access service permanently marks a policy as beta once you amend it with the beta API, making it impossible to use the stable API to manage it.
API bug reported upstream: https://github.com/microsoftgraph/msgraph-metadata/issues/647
Community Note
Terraform (and AzureAD Provider) Version
Terraform v1.5.7 on darwin_arm64
Affected Resource(s)
azuread_conditional_access_policy
Terraform Configuration Files
Debug Output
Panic Output
Expected Behavior
Attempting to create a new CA policy that requires reauthentication with MFA for every login. Expected behavior is that it will create the policy without errors.
Actual Behavior
The issue appears to be with the
sign_in_frequency_interval = "everyTime"
, as removing that and using the below session_controls block causes it to create successfullySteps to Reproduce
terraform apply
Important Factoids
References
0000