azuread_conditional_access_policy: Option to define authentication context in policy

robertbrandso commented 2 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

In a conditional access policy you have the option to choose an authentication context under Cloud apps or actions. This feature is in preview in Azure AD.

In the azuread_conditional_access_policy resource you have no option to define authentication context.

New or Affected Resource(s)

azuread_conditional_access_policy

Potential Terraform Configuration

resource "azuread_conditional_access_policy" "cau012" {
  display_name = "CAU012-AuthCon: Require MFA and compliant for sensitivity label confidential-v1.0"
  state        = "enabled"

  conditions {
    users {
      included_users  = ["All"]
    }
    applications {
      included_authentication_context = ["high"]
    }
    client_app_types = ["browser", "mobileAppsAndDesktopClients"]
  }

  grant_controls {
    built_in_controls = ["mfa", "compliantDevice"]
    operator          = "AND"
  }
}

References

If querying the API and looking at an existing policy with authentication context defined, it looks like this:

"applications": {
    "includeApplications": [],
    "excludeApplications": [],
    "includeUserActions": [],
    "includeAuthenticationContextClassReferences": [
        "c1"
    ]
}

garretth9 commented 1 year ago

Just wanted to add a note to mention that this feature is apparently no longer in Preview status, so it would definitely be helpful to integrate it into the provider.

manicminer commented 12 months ago

According to the docs it looks like this is still a preview/beta only feature

bhendr5 commented 11 months ago

Looking in the Microsoft Learn docs (https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-cloud-apps#authentication-context) (https://learn.microsoft.com/en-us/entra/identity-platform/developer-guide-conditional-access-authentication-context) and in the Entra portal itself, I can't seem to find any mention of the feature being in preview at this point. Not sure if there are some docs I'm missing?

manicminer commented 11 months ago

@bhendr5 It's only present in the beta API and not in the stable API. For most resources we'd be able to offer this as an optional feature, but for CAPs the APIs are incompatible which currently precludes us from being able to use the beta API.

bhendr5 commented 11 months ago

Makes sense! Neglected to check the actual API my bad.

hashicorp / terraform-provider-azuread