search

microsoft / Microsoft365DSC

Manages, configures, extracts and monitors Microsoft 365 tenant configurations
https://aka.ms/M365DSC
MIT License
1.47k stars 448 forks source link

AADConditionalAccessPolicy with TermsOfUse failed to create #4774

Open vinam779 opened 1 month ago

vinam779 commented 1 month ago

Description of the issue

hello, I have created a conditionalaccesspolicy with termofuse setup. I export it sucessfully, but when trying to import it to another tenant with others CA, only the one using terofuse failed to import with ModuleVersion '1.24.522.1'. Before importing, I have manually create a TermOfUse with same displayname. In eventlog, there is an error below. Error creating new policy: { Response status code does not indicate success: BadRequest (Bad Request). } \ at Set-TargetResource, C:\Program Files\WindowsPowerShell\Modules\Microsoft365dsc\1.24.522.1\DscResources\MSFT_AADConditionalAccessPolicy\MSFT_AADConditionalAccessPolicy.psm1: line 1682

How to import CA with TermOfUse ?

Microsoft 365 DSC Version

1.24.522.1

Which workloads are affected

Azure Active Directory (Entra ID)

The DSC configuration

AADConditionalAccessPolicy "AADConditionalAccessPolicy-Guests-Require-TOU"
        {
            ApplicationId                        = $ConfigurationData.NonNodeData.ApplicationId;
            ApplicationsFilter                   = "CustomSecurityAttribute.CAExlude_ConditionalAccessPolicies -contains `"CA3017`"";
            ApplicationsFilterMode               = "exclude";
            AuthenticationContexts               = @();
            BuiltInControls                      = @();
            CertificateThumbprint                = $ConfigurationData.NonNodeData.CertificateThumbprint;
            ClientAppTypes                       = @("all");
            CloudAppSecurityType                 = "";
            CustomAuthenticationFactors          = @();
            DeviceFilterRule                     = "";
            DisplayName                          = "CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU";
            Ensure                               = "Present";
            ExcludeApplications                  = @();
            ExcludeExternalTenantsMembers        = @();
            ExcludeExternalTenantsMembershipKind = "";
            ExcludeGroups                        = @("AZGRP-CA-Exclusion-CA3017");
            ExcludeLocations                     = @();
            ExcludePlatforms                     = @();
            ExcludeRoles                         = @();
            ExcludeUsers                         = @("csgaadadm1@$OrganizationName","csgaadadm2@$OrganizationName");
            GrantControlOperator                 = "OR";
            Id                                   = "34758e32-6333-42c4-ba71-f60b9e6fb19d";
            IncludeApplications                  = @("None");
            IncludeExternalTenantsMembers        = @();
            IncludeExternalTenantsMembershipKind = "";
            IncludeGroups                        = @("AZGRP-CA-Persona-Guests");
            IncludeLocations                     = @();
            IncludePlatforms                     = @();
            IncludeRoles                         = @();
            IncludeUserActions                   = @();
            IncludeUsers                         = @();
            PersistentBrowserMode                = "";
            SignInFrequencyType                  = "";
            SignInRiskLevels                     = @();
            State                                = "enabledForReportingButNotEnforced";
            TenantId                             = $OrganizationName;
            TermsOfUse                           = "[TU01][Guest]";
            #TransferMethods                      = "";
            UserRiskLevels                       = @();
        }

Verbose logs showing the problem

VERBOSE: [A92SW001PADX1AP]: LCM:  [ Start  Resource ]  [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU]
VERBOSE: [A92SW001PADX1AP]: LCM:  [ Start  Test     ]  [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU]
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Testing configuration of AzureAD CA Policies
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Getting configuration of AzureAD Conditional Access Policy
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] PolicyID was specified
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Couldn't find existing policy by ID {34758e32-6333-42c4-ba71-f60b9e6fb19d}
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] No existing Policy with name {CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU} were found
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Current Values: ApplicationId=***
ApplicationsFilter=CustomSecurityAttribute.CAExlude_ConditionalAccessPolicies -contains "CA3017"
ApplicationsFilterMode=exclude
AuthenticationContexts=()
BuiltInControls=()
CertificateThumbprint=***
ClientAppTypes=(all)
CloudAppSecurityType=
CustomAuthenticationFactors=()
DeviceFilterRule=
DisplayName=CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU
Ensure=Absent
ExcludeApplications=()
ExcludeExternalTenantsMembers=()
ExcludeExternalTenantsMembershipKind=
ExcludeGroups=(AZGRP-CA-Exclusion-CA3017)
ExcludeLocations=()
ExcludePlatforms=()
ExcludeRoles=()
ExcludeUsers=(csgaadadm1@2xnvs4.onmicrosoft.com,csgaadadm2@2xnvs4.onmicrosoft.com)
GrantControlOperator=OR
Id=34758e32-6333-42c4-ba71-f60b9e6fb19d
IncludeApplications=(None)
IncludeExternalTenantsMembers=()
IncludeExternalTenantsMembershipKind=
IncludeGroups=(AZGRP-CA-Persona-Guests)
IncludeLocations=()
IncludePlatforms=()
IncludeRoles=()
IncludeUserActions=()
IncludeUsers=()
PersistentBrowserMode=
SignInFrequencyType=
SignInRiskLevels=()
State=enabledForReportingButNotEnforced
TenantId=***
TermsOfUse=[TU01][Guest]
UserRiskLevels=()
Verbose=True
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Target Values: ApplicationId=***
ApplicationsFilter=CustomSecurityAttribute.CAExlude_ConditionalAccessPolicies -contains "CA3017"
ApplicationsFilterMode=exclude
AuthenticationContexts=()
BuiltInControls=()
CertificateThumbprint=***
ClientAppTypes=(all)
CloudAppSecurityType=
CustomAuthenticationFactors=()
DeviceFilterRule=
DisplayName=CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU
Ensure=Present
ExcludeApplications=()
ExcludeExternalTenantsMembers=()
ExcludeExternalTenantsMembershipKind=
ExcludeGroups=(AZGRP-CA-Exclusion-CA3017)
ExcludeLocations=()
ExcludePlatforms=()
ExcludeRoles=()
ExcludeUsers=(csgaadadm1@2xnvs4.onmicrosoft.com,csgaadadm2@2xnvs4.onmicrosoft.com)
GrantControlOperator=OR
Id=34758e32-6333-42c4-ba71-f60b9e6fb19d
IncludeApplications=(None)
IncludeExternalTenantsMembers=()
IncludeExternalTenantsMembershipKind=
IncludeGroups=(AZGRP-CA-Persona-Guests)
IncludeLocations=()
IncludePlatforms=()
IncludeRoles=()
IncludeUserActions=()
IncludeUsers=()
PersistentBrowserMode=
SignInFrequencyType=
SignInRiskLevels=()
State=enabledForReportingButNotEnforced
TenantId=***
TermsOfUse=[TU01][Guest]
UserRiskLevels=()
Verbose=True
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Test-TargetResource returned False
VERBOSE: [A92SW001PADX1AP]: LCM:  [ End    Test     ]  [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU]  in 1.6720 seconds.
VERBOSE: [A92SW001PADX1AP]: LCM:  [ Start  Set      ]  [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU]
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Setting configuration of AzureAD Conditional Access Policy
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: Running Get-TargetResource
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Getting configuration of AzureAD Conditional Access Policy
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] PolicyID was specified
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Couldn't find existing policy by ID {34758e32-6333-42c4-ba71-f60b9e6fb19d}
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] No existing Policy with name {CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU} were found
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: Cleaning up parameters
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: Policy CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU Ensure Present
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: create Conditions object
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: create Application Condition object
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: process includeusers
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: process excludeusers
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: process includegroups
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Adding group to includegroups
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: process excludegroups
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Adding group to ExcludeGroups
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: process includeroles
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: process excluderoles
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: process includeGuestOrExternalUser
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: process excludeGuestsOrExternalUsers
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: process platform condition
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: setting platform condition to null
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: process include and exclude locations
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: process device filter
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: process risk levels and app types
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: UserRiskLevels:
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: SignInRiskLevels:
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: ClientAppTypes: all
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: authenticationFlows transferMethods:
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: Adding processed conditions
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: create and provision Grant Control object
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Gettign Terms of Use {[TU01][Guest]}
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: Adding processed grant controls
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: process session controls
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: create policy CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Create Parameters:
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] conditions={applications={applicationFilter={mode=exclude
rule=CustomSecurityAttribute.CAExlude_ConditionalAccessPolicies -contains "CA3017"}
excludeApplications=()
includeApplications=(None)}
clientAppTypes=(all)
platforms=$null
signInRiskLevels=()
userRiskLevels=()
users={excludeGroups=(523d202a-1672-4eb6-bb98-9803e21b189a)
excludeRoles=()
excludeUsers=(ecf23ddd-2a4a-4866-b87e-d949acf101e3,c7e3e7f4-16a2-44a7-8e87-c4cd13db5dcb)
includeGroups=(f41bc314-a5f1-4e69-ac2a-11ec520c446f)
includeRoles=()
includeUsers=()}}
displayName=CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU
grantControls={operator=OR
termsOfUse=fc9ba7b9-95b0-4369-b761-53e21406de4d}
sessionControls=$null
state=enabledForReportingButNotEnforced
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] POST https://graph.microsoft.com/beta/identity/conditionalAccess/policies with 796-byte payload
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] received 552-byte response of content type application/json
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: Failed creating new policy
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: Finished processing Policy CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU
VERBOSE: [A92SW001PADX1AP]: LCM:  [ End    Set      ]  [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU]  in 30.9100 seconds.
VERBOSE: [A92SW001PADX1AP]: LCM:  [ End    Resource ]  [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU]

Environment Information + PowerShell Version

OsName               : Microsoft Windows Server 2019 Standard
OsOperatingSystemSKU : StandardServerEdition
OsArchitecture       : 64-bit
WindowsVersion       : 1809
WindowsBuildLabEx    : 17763.1.amd64fre.rs5_release.180914-1434
OsLanguage           : en-US
OsMuiLanguages       : {en-US}

Name                           Value
----                           -----
PSVersion                      5.1.17763.5830
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.17763.5830
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
gibi916 commented 2 weeks ago

I have the same problem. Impossible to deploy a policy with TermsOfUse