azuread_conditional_access_policy - BadRequest with sign_in_frequency_interval = "everyTime"

[garretth9]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

Terraform v1.5.7 on darwin_arm64

• provider registry.terraform.io/hashicorp/azuread v2.52.0

Affected Resource(s)

• azuread_conditional_access_policy

Terraform Configuration Files

resource "azuread_conditional_access_policy" "mfa_always_required" {
  display_name = "MFA_Always_Required"
  state        = "enabled"

  conditions {
    client_app_types = ["all"]

    applications {
      included_applications = data.azuread_service_principals.mfa_always_required_apps.client_ids
      excluded_applications = []
    }

    users {
      included_users = ["All"]
      excluded_users = concat(
        data.azuread_users.ca_exempt_break_glass.object_ids
      )
    }
  }

  grant_controls {
    built_in_controls             = ["mfa"]
    operator                      = "OR"
  }

  session_controls {
    sign_in_frequency_interval = "everyTime"
  }
}

Debug Output

Panic Output

Expected Behavior

Attempting to create a new CA policy that requires reauthentication with MFA for every login. Expected behavior is that it will create the policy without errors.

Actual Behavior

╷
│ Error: Could not create conditional access policy
│ 
│   with azuread_conditional_access_policy.mfa_always_required,
│   on ca_rules_always_mfa.tf line 1, in resource "azuread_conditional_access_policy" "mfa_always_required":
│    1: resource "azuread_conditional_access_policy" "mfa_always_required" {
│ 
│ ConditionalAccessPoliciesClient.BaseClient.Post(): unexpected status 400
│ with OData error: BadRequest: 1038: The policy you are trying to create or
│ update contains preview features. Use the Beta endpoint to create or update
│ this policy.

The issue appears to be with the sign_in_frequency_interval = "everyTime", as removing that and using the below session_controls block causes it to create successfully

  session_controls {
    sign_in_frequency        = 1
    sign_in_frequency_period = "hours"
  }

Steps to Reproduce

1. terraform apply

Important Factoids

References

• 0000

[manicminer]

Hi @garretth9, thanks for reporting this issue. I have been able to reproduce this error and spotted a bug in the provider that could be causing this. However, after reworking the request to look like it should, I was still getting the same error.

I could not immediately see another cause for the problem, so I went to the Portal and discovered that it is using the beta (non-production) API for Conditional Access - at least in the case of setting signInFrequencyInterval: "everyTime". Once I amended the (fixed-up) request to use the beta API, it worked perfectly.

It seems the stable (v1.0) API may have stopped supporting this setting, which if this is the case, would be a breaking API change. The documentation does list this setting as supported in the v1.0 API, which would indicate that this is supposed to work.

I'll open a PR to fix the incorrect logic around session controls, but we will need to figure out what is happening with the stable API before we could merge it. We can unfortunately not use the beta API at this time (even partially), as the Conditional Access service permanently marks a policy as beta once you amend it with the beta API, making it impossible to use the stable API to manage it.

[manicminer]

API bug reported upstream: https://github.com/microsoftgraph/msgraph-metadata/issues/647