-
Notifications
You must be signed in to change notification settings - Fork 503
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AADConditionalAccessPolicy: Get error "Failed creating new policy" or "Failed changing policy" since Update to V1.24.1106.1 #5365
Comments
@FabienTschanz thanks for the info. I will test when version 1.24.1106.2 is available on PS gallery. |
@FabienTschanz , unfortunately I still have the same error after updating to version 1.24.1106.3.
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description of the issue
I had to downgrade to version 1.24.1016.1 because I have a problem deploying the AADConditionalAccessPolicy resource with the version 1.24.1106.1.
I joined the Verbose logs for working (1.24.1016.1) and not working (1.24.1106.1) case.
Working.txt
NotWorking.txt
If there is no change on the Policy, the DSC task is success. If there is a change or if it's a new Policy, there is an error.
For info my app registration has all the permissions mentioned in the doc: Agreement.Read.All, Application.Read.All, Group.Read.All, Policy.Read.All, Policy.ReadWrite.ConditionalAccess, RoleManagement.Read.Directory, User.Read.All, CustomSecAttributeDefinition.Read.All
Microsoft 365 DSC Version
1.24.1106.1
Which workloads are affected
Azure Active Directory (Entra ID)
The DSC configuration
AADConditionalAccessPolicy "AADConditionalAccessPolicy-CAP001-Global-AllApps-NoCondition-MFAorCompliant"
{
ApplicationId = "xxx";
ApplicationEnforcedRestrictionsIsEnabled = $False;
AuthenticationContexts = @();
AuthenticationStrength = "Multifactor authentication";
BuiltInControls = @("compliantDevice");
CertificateThumbprint = "xxxx";
ClientAppTypes = @("all");
CloudAppSecurityIsEnabled = $False;
CloudAppSecurityType = "";
CustomAuthenticationFactors = @();
DeviceFilterRule = "";
DisplayName = "Test-CAP001-Global-AllApps-NoCondition-MFAorCompliant";
Ensure = "Present";
ExcludeApplications = @("5c91ae52-d26e-444-aa28-31fd7e705483","55d611b0-7d33-8888-8df3-6041868930d7","00000009-0000-0000-c000-000000000000");
ExcludeExternalTenantsMembers = @();
ExcludeExternalTenantsMembershipKind = "all";
ExcludeGroups = @("GPAZ-AzureAD-MFA-Bypass");
ExcludeGuestOrExternalUserTypes = @("internalGuest","b2bCollaborationGuest","b2bCollaborationMember","b2bDirectConnectUser","otherExternalUser","serviceProvider");
ExcludeLocations = @();
ExcludePlatforms = @();
ExcludeRoles = @();
ExcludeUsers = @();
GrantControlOperator = "OR";
IncludeApplications = @("All");
IncludeExternalTenantsMembers = @();
IncludeExternalTenantsMembershipKind = "";
IncludeGroups = @();
IncludeLocations = @();
IncludePlatforms = @();
IncludeRoles = @();
IncludeUserActions = @();
IncludeUsers = @("All");
PersistentBrowserIsEnabled = $False;
PersistentBrowserMode = "";
SignInFrequencyIsEnabled = $False;
SignInFrequencyType = "";
SignInRiskLevels = @();
State = "enabled";
TenantId = "toto.onmicrosoft.com";
UserRiskLevels = @();
}
Verbose logs showing the problem
2024-11-08T07:28:21.4890627Z insiderRiskLevels=
2024-11-08T07:28:21.4894714Z
2024-11-08T07:28:21.4904645Z platforms=$null
2024-11-08T07:28:21.4905153Z
2024-11-08T07:28:21.5710111Z signInRiskLevels=()
2024-11-08T07:28:21.6750447Z ##[error]Set-Targetresource: Failed changing policy CAP001-Global-AllApps-NoCondition-MFAorCompliant
2024-11-08T07:28:21.6769980Z
2024-11-08T07:28:21.6779275Z userRiskLevels=()
2024-11-08T07:28:21.6819392Z
2024-11-08T07:28:21.7070014Z ##[error]+ CategoryInfo : NotSpecified: (:) [], CimException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Set-TargetResource
+ PSComputerName : localhost
2024-11-08T07:28:21.7091874Z users={excludeGroups=(4d724a52-9dd2-4a2e-aa66-da1c54ee56ae)
2024-11-08T07:28:21.7092676Z
2024-11-08T07:28:21.7146390Z excludeGuestsOrExternalUsers={externalTenants={@odata.type=#microsoft.graph.conditionalAccessAllExternalTenants
2024-11-08T07:28:21.7147233Z
2024-11-08T07:28:21.7149757Z ##[error]The PowerShell DSC resource
'[AADConditionalAccessPolicy]CAP001-Global-AllApps-NoCondition-MFAorCompliant::[EntraID]EntraID_Configuration' with
SourceInfo 'D:\a\1\s\M365Config\0.0.1\DSCResources\EntraID\EntraID.schema.psm1::46::21::AADConditionalAccessPolicy'
threw one or more non-terminating errors while running the Set-TargetResource functionality. These errors are logged
to the ETW channel called Microsoft-Windows-DSC/Operational. Refer to this channel for more details.
2024-11-08T07:28:21.7156179Z membershipKind=all}
2024-11-08T07:28:21.7163050Z
2024-11-08T07:28:21.7173692Z guestOrExternalUserTypes=internalGuest,b2bCollaborationGuest,b2bCollaborationMember,b2bDirectConnectUser,otherExternalU
2024-11-08T07:28:21.7206974Z ser,serviceProvider}
2024-11-08T07:28:21.7552570Z ##[error]+ CategoryInfo : InvalidOperation: (:) [], CimException
+ FullyQualifiedErrorId : NonTerminatingErrorFromProvider
+ PSComputerName : localhost
2024-11-08T07:28:21.7563120Z
Environment Information + PowerShell Version
No response
The text was updated successfully, but these errors were encountered: