Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AADConditionalAccessPolicy with TermsOfUse failed to create #4774

Open
vinam779 opened this issue Jun 19, 2024 · 0 comments
Open

AADConditionalAccessPolicy with TermsOfUse failed to create #4774

vinam779 opened this issue Jun 19, 2024 · 0 comments

Comments

@vinam779
Copy link

Description of the issue

hello,
I have created a conditionalaccesspolicy with termofuse setup. I export it sucessfully, but when trying to import it to another tenant with others CA, only the one using terofuse failed to import with ModuleVersion '1.24.522.1'.
Before importing, I have manually create a TermOfUse with same displayname.
In eventlog, there is an error below.
Error creating new policy:
{ Response status code does not indicate success: BadRequest (Bad Request). } \ at Set-TargetResource, C:\Program Files\WindowsPowerShell\Modules\Microsoft365dsc\1.24.522.1\DscResources\MSFT_AADConditionalAccessPolicy\MSFT_AADConditionalAccessPolicy.psm1: line 1682

How to import CA with TermOfUse ?

Microsoft 365 DSC Version

1.24.522.1

Which workloads are affected

Azure Active Directory (Entra ID)

The DSC configuration

AADConditionalAccessPolicy "AADConditionalAccessPolicy-Guests-Require-TOU"
        {
            ApplicationId                        = $ConfigurationData.NonNodeData.ApplicationId;
            ApplicationsFilter                   = "CustomSecurityAttribute.CAExlude_ConditionalAccessPolicies -contains `"CA3017`"";
            ApplicationsFilterMode               = "exclude";
            AuthenticationContexts               = @();
            BuiltInControls                      = @();
            CertificateThumbprint                = $ConfigurationData.NonNodeData.CertificateThumbprint;
            ClientAppTypes                       = @("all");
            CloudAppSecurityType                 = "";
            CustomAuthenticationFactors          = @();
            DeviceFilterRule                     = "";
            DisplayName                          = "CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU";
            Ensure                               = "Present";
            ExcludeApplications                  = @();
            ExcludeExternalTenantsMembers        = @();
            ExcludeExternalTenantsMembershipKind = "";
            ExcludeGroups                        = @("AZGRP-CA-Exclusion-CA3017");
            ExcludeLocations                     = @();
            ExcludePlatforms                     = @();
            ExcludeRoles                         = @();
            ExcludeUsers                         = @("csgaadadm1@$OrganizationName","csgaadadm2@$OrganizationName");
            GrantControlOperator                 = "OR";
            Id                                   = "34758e32-6333-42c4-ba71-f60b9e6fb19d";
            IncludeApplications                  = @("None");
            IncludeExternalTenantsMembers        = @();
            IncludeExternalTenantsMembershipKind = "";
            IncludeGroups                        = @("AZGRP-CA-Persona-Guests");
            IncludeLocations                     = @();
            IncludePlatforms                     = @();
            IncludeRoles                         = @();
            IncludeUserActions                   = @();
            IncludeUsers                         = @();
            PersistentBrowserMode                = "";
            SignInFrequencyType                  = "";
            SignInRiskLevels                     = @();
            State                                = "enabledForReportingButNotEnforced";
            TenantId                             = $OrganizationName;
            TermsOfUse                           = "[TU01][Guest]";
            #TransferMethods                      = "";
            UserRiskLevels                       = @();
        }

Verbose logs showing the problem

VERBOSE: [A92SW001PADX1AP]: LCM:  [ Start  Resource ]  [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU]
VERBOSE: [A92SW001PADX1AP]: LCM:  [ Start  Test     ]  [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU]
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Testing configuration of AzureAD CA Policies
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Getting configuration of AzureAD Conditional Access Policy
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] PolicyID was specified
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Couldn't find existing policy by ID {34758e32-6333-42c4-ba71-f60b9e6fb19d}
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] No existing Policy with name {CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU} were found
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Current Values: ApplicationId=***
ApplicationsFilter=CustomSecurityAttribute.CAExlude_ConditionalAccessPolicies -contains "CA3017"
ApplicationsFilterMode=exclude
AuthenticationContexts=()
BuiltInControls=()
CertificateThumbprint=***
ClientAppTypes=(all)
CloudAppSecurityType=
CustomAuthenticationFactors=()
DeviceFilterRule=
DisplayName=CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU
Ensure=Absent
ExcludeApplications=()
ExcludeExternalTenantsMembers=()
ExcludeExternalTenantsMembershipKind=
ExcludeGroups=(AZGRP-CA-Exclusion-CA3017)
ExcludeLocations=()
ExcludePlatforms=()
ExcludeRoles=()
ExcludeUsers=([email protected],[email protected])
GrantControlOperator=OR
Id=34758e32-6333-42c4-ba71-f60b9e6fb19d
IncludeApplications=(None)
IncludeExternalTenantsMembers=()
IncludeExternalTenantsMembershipKind=
IncludeGroups=(AZGRP-CA-Persona-Guests)
IncludeLocations=()
IncludePlatforms=()
IncludeRoles=()
IncludeUserActions=()
IncludeUsers=()
PersistentBrowserMode=
SignInFrequencyType=
SignInRiskLevels=()
State=enabledForReportingButNotEnforced
TenantId=***
TermsOfUse=[TU01][Guest]
UserRiskLevels=()
Verbose=True
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Target Values: ApplicationId=***
ApplicationsFilter=CustomSecurityAttribute.CAExlude_ConditionalAccessPolicies -contains "CA3017"
ApplicationsFilterMode=exclude
AuthenticationContexts=()
BuiltInControls=()
CertificateThumbprint=***
ClientAppTypes=(all)
CloudAppSecurityType=
CustomAuthenticationFactors=()
DeviceFilterRule=
DisplayName=CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU
Ensure=Present
ExcludeApplications=()
ExcludeExternalTenantsMembers=()
ExcludeExternalTenantsMembershipKind=
ExcludeGroups=(AZGRP-CA-Exclusion-CA3017)
ExcludeLocations=()
ExcludePlatforms=()
ExcludeRoles=()
ExcludeUsers=([email protected],[email protected])
GrantControlOperator=OR
Id=34758e32-6333-42c4-ba71-f60b9e6fb19d
IncludeApplications=(None)
IncludeExternalTenantsMembers=()
IncludeExternalTenantsMembershipKind=
IncludeGroups=(AZGRP-CA-Persona-Guests)
IncludeLocations=()
IncludePlatforms=()
IncludeRoles=()
IncludeUserActions=()
IncludeUsers=()
PersistentBrowserMode=
SignInFrequencyType=
SignInRiskLevels=()
State=enabledForReportingButNotEnforced
TenantId=***
TermsOfUse=[TU01][Guest]
UserRiskLevels=()
Verbose=True
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Test-TargetResource returned False
VERBOSE: [A92SW001PADX1AP]: LCM:  [ End    Test     ]  [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU]  in 1.6720 seconds.
VERBOSE: [A92SW001PADX1AP]: LCM:  [ Start  Set      ]  [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU]
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Setting configuration of AzureAD Conditional Access Policy
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: Running Get-TargetResource
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Getting configuration of AzureAD Conditional Access Policy
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] PolicyID was specified
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Couldn't find existing policy by ID {34758e32-6333-42c4-ba71-f60b9e6fb19d}
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] No existing Policy with name {CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU} were found
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: Cleaning up parameters
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: Policy CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU Ensure Present
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: create Conditions object
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: create Application Condition object
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: process includeusers
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: process excludeusers
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: process includegroups
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Adding group to includegroups
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: process excludegroups
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Adding group to ExcludeGroups
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: process includeroles
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: process excluderoles
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: process includeGuestOrExternalUser
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: process excludeGuestsOrExternalUsers
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: process platform condition
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: setting platform condition to null
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: process include and exclude locations
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: process device filter
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: process risk levels and app types
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: UserRiskLevels:
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: SignInRiskLevels:
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: ClientAppTypes: all
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: authenticationFlows transferMethods:
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: Adding processed conditions
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: create and provision Grant Control object
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Gettign Terms of Use {[TU01][Guest]}
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: Adding processed grant controls
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: process session controls
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: create policy CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Create Parameters:
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] conditions={applications={applicationFilter={mode=exclude
rule=CustomSecurityAttribute.CAExlude_ConditionalAccessPolicies -contains "CA3017"}
excludeApplications=()
includeApplications=(None)}
clientAppTypes=(all)
platforms=$null
signInRiskLevels=()
userRiskLevels=()
users={excludeGroups=(523d202a-1672-4eb6-bb98-9803e21b189a)
excludeRoles=()
excludeUsers=(ecf23ddd-2a4a-4866-b87e-d949acf101e3,c7e3e7f4-16a2-44a7-8e87-c4cd13db5dcb)
includeGroups=(f41bc314-a5f1-4e69-ac2a-11ec520c446f)
includeRoles=()
includeUsers=()}}
displayName=CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU
grantControls={operator=OR
termsOfUse=fc9ba7b9-95b0-4369-b761-53e21406de4d}
sessionControls=$null
state=enabledForReportingButNotEnforced
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] POST https://graph.microsoft.com/beta/identity/conditionalAccess/policies with 796-byte payload
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] received 552-byte response of content type application/json
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: Failed creating new policy
VERBOSE: [A92SW001PADX1AP]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU] Set-Targetresource: Finished processing Policy CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU
VERBOSE: [A92SW001PADX1AP]: LCM:  [ End    Set      ]  [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU]  in 30.9100 seconds.
VERBOSE: [A92SW001PADX1AP]: LCM:  [ End    Resource ]  [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA3017-Guests-AllApps-AnyDevice-AnyWhere-Require-TOU]

Environment Information + PowerShell Version

OsName               : Microsoft Windows Server 2019 Standard
OsOperatingSystemSKU : StandardServerEdition
OsArchitecture       : 64-bit
WindowsVersion       : 1809
WindowsBuildLabEx    : 17763.1.amd64fre.rs5_release.180914-1434
OsLanguage           : en-US
OsMuiLanguages       : {en-US}

Name                           Value
----                           -----
PSVersion                      5.1.17763.5830
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.17763.5830
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@vinam779