AADConditionalAccessPolicy: Ehancement request - Add support for customAuthenticationFactors

[garretth9]

Details of the scenario you tried and the problem that is occurring

We use a 3rd party MFA solution (symantec VIP) configured as a custom control. When using the module to export my config i noticed that my polices are being exported with no Grant controls, as it doesn't appear to support custom controls.

Verbose logs showing the problem

Suggested solution to the issue

While technically custom controls ARE still a preview feature, the config for them is included in both the beta and v1.0 graph api for conditional access policies https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies and can be set/retrieved with the string collection attribute customAuthenticationFactors as shown in the conditionalAccessGrantControls resource type properties.

As this feature has been in preview for several years now, and microsoft's hinted-at replacement has yet to materialize after over 2 years, it would greatly enhance the usability of the module if we could set/retrieve this attribute as part of the AADConditionalAccessPolicy resource, even if the module doesn't support creation of the control resource itself since that is still preview.

A CustomAuthenticationFactors or CustomControls attribute could be added to the AADConditionalAccessPolicy resource that accepts a string array as input, which maps to the array of IDs returned by the customAuthenticationFactors attribute in the conditionalAccess/policies API.

The DSC configuration that is used to reproduce the issue (as detailed as possible)

Export-M365DSCConfiguration -Components @( "AADConditionalAccessPolicy") -Credential $Credential

The operating system the target node is running

n/a

Version of the DSC module that was used ('dev' if using current dev branch)

1.22.914.1