user_risk_levels option error

[Keith-EMP]

When creating a conditional access policy to only manage user_risk_levels it errors out. My policy is very simple (below). Error says 2 options are not allowed and I am not setting those. I even tried setting them as false, no difference. Setup is from microsoft example at https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-risk-policies. When setting the sign in frequency to "every time" the option below needs to be 0 and the frequency period should be empty but the provider forces us to use both options so I am just setting it to hours just to have it.

resource "azuread_conditional_access_policy" "CAPUserRisk_v1" {
display_name = "CA_User Risk - v1"
state = "enabledForReportingButNotEnforced"

conditions {
client_app_types = ["all"]
user_risk_levels = ["high"]

applications {
  included_applications = ["All"]
}

users {
  included_users = ["All"]
}

}

grant_controls {
operator = "AND"
built_in_controls = ["mfa","passwordChange"]
}
session_controls {
sign_in_frequency = 0
sign_in_frequency_period = "hours"
}
}

Error is:
Error: Could not create conditional access policy
│
│ with azuread_conditional_access_policy.CAPUserRisk_v1,
│ on CAP-UserRisk_v1.tf line 5, in resource "azuread_conditional_access_policy" "CAPUserRisk_v1":
│ 5: resource "azuread_conditional_access_policy" "CAPUserRisk_v1" {
│
│ ConditionalAccessPoliciesClient.BaseClient.Post(): unexpected status 400 with OData error: BadRequest: 1115: The specified session controls, 'applicationEnforcedRestrictions,
│ disableResilienceDefaults', are not supported with the password change control; only signInFrequency every time is supported. For examples, please see the API documentation at
│ https://docs.microsoft.com/en-us/graph/api/conditionalaccessroot-post-policies?view=graph-rest-1.0.

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

Affected Resource(s)

• azuread_XXXXX

Terraform Configuration Files

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorp

Debug Output

Panic Output

Expected Behavior

Actual Behavior

Steps to Reproduce

1. terraform apply

Important Factoids

References

• #0000

[manicminer]

Hi @Keith-EMP, thanks for reporting your use case and this error. Unfortunately, the API has some long standing bugs around sessionControls which limits our options significantly, but I will have another look just in case maybe something got fixed, or there's perhaps some other way we can work around this.