search

maester365 / maester

The core repository for the Maester module with helper cmdlets that will be called from the Pester tests.
https://maester.dev
MIT License
365 stars 89 forks source link

Dynamic group membership is not evalued correctly by the CA Beta endpoint and GUI Whatif New experience mode #508

Closed milanschwartz closed 4 weeks ago

milanschwartz commented 1 month ago

Merril,

I have two policies. Policy B is evaluated correctly on GUI Whatif (new experinence) and Beta evaluation endpoint. Policy A shows "Not enough Information" as the reason why it is not applied.

Policy A: fails evaluation Include group: DynamicGroupA ClientAppType: browser Include cloud app: App A Grant control: MFA

Policy B: evaluated correctly Include: All users ClientAppType: browser Include cloud app: App A Grant control: SigninFrequency

I set up the evaluation by using a member of DynamicGroupA, client app type as browser, target app as App A.

Side note: Classic GUI Whatif evaluates both policies properly.

Can you please communicate this issue with the product team?

milanschwartz commented 1 month ago

I see the same behaviour if the policy contains directory role condition. Beta eval endpoint and new what if experience fail to find policies that apply, old what if tool does find them with same input.

merill commented 4 weeks ago

Thanks for reporting. Since this is not related to Maester, I'll move this to a discussion and share internally,