Conditional access policies: bug with ExcludePlatforms

[semangard]

Details of the scenario you tried and the problem that is occurring

Hello,

It seems that the ExcludePlatforms property raises some issues:

# ExcludePlatforms                       = @("android", "iOS", "macOS", "linux");
# ExcludePlatforms                       = @("android");
ExcludePlatforms                         = @();

Only the last value (empty array) currently works.

Verbose logs showing the problem

PS C:\git\cyberforce\cloud-ms-365-dsc\tools> .\DeployAll.ps1
The server could not process the request because it is malformed or incorrect.
    + CategoryInfo          : InvalidOperation: ({ ConditionalAc...AccessPolicy1 }:) [], CimException
    + FullyQualifiedErrorId : BadRequest,Microsoft.Graph.PowerShell.Cmdlets.UpdateMgIdentityConditionalAccessPolicy_UpdateExpanded
    + PSComputerName        : localhost

The PowerShell DSC resource '[AADConditionalAccessPolicy]CA11a' with SourceInfo 'C:\git\cyberforce\cloud-ms-365-dsc\config\aad\03-conditionalAccessPolicies\Config.ps1::250::9::AADConditionalAccessPolicy'
threw one or more non-terminating errors while running the Set-TargetResource functionality. These errors are logged to the ETW channel called Microsoft-Windows-DSC/Operational. Refer to this channel for
more details.
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : NonTerminatingErrorFromProvider
    + PSComputerName        : localhost

The SendConfigurationApply function did not succeed.
    + CategoryInfo          : NotSpecified: (root/Microsoft/...gurationManager:String) [], CimException
    + FullyQualifiedErrorId : MI RESULT 1
    + PSComputerName        : localhost

The DSC configuration that is used to reproduce the issue (as detailed as possible)

 AADConditionalAccessPolicy 'CA11a' {
            ApplicationEnforcedRestrictionsIsEnabled = $False;
            # BuiltInControls                          = @("mfa","compliantDevice");
            BuiltInControls                          = @("mfa");
            ClientAppTypes                           = @("all");
            CloudAppSecurityIsEnabled                = $False;
            CloudAppSecurityType                     = "";
            Credential                               = $CredsCredential;
            CustomAuthenticationFactors              = @();
            DeviceFilterRule                         = "";
            DisplayName                              = "TEST-DSC: CA11a - Requirements for priority accounts (allow)";
            Ensure                                   = $conditionalAccessPoliciesEnsure;
            ExcludeApplications                      = @();
            ExcludeDevices                           = @();
            ExcludeGroups                            = @($groupRescueUsersName);
            ExcludeLocations                         = @();
            # ExcludePlatforms                         = @($ExcludePlatformsWhenRequiringComplianceInReportingMode);
            # ExcludePlatforms                         = @("android", "iOS", "macOS", "linux");
            # ExcludePlatforms                         = @("android");
            ExcludePlatforms                         = @();
            ExcludeRoles                             = @();
            ExcludeUsers                             = @();
            GrantControlOperator                     = "AND";
            IncludeApplications                      = @("All");
            IncludeDevices                           = @();
            IncludeGroups                            = @($groupPriorityUsersName);
            IncludeLocations                         = @();
            IncludePlatforms                         = @();
            IncludeRoles                             = @();
            IncludeUserActions                       = @();
            IncludeUsers                             = @();
            PersistentBrowserIsEnabled               = $True;
            PersistentBrowserMode                    = "never";
            SignInFrequencyIsEnabled                 = $True;
            SignInFrequencyType                      = "hours";
            SignInFrequencyValue                     = 12;
            SignInRiskLevels                         = @();
            State                                    = $CAPoliciesState;
            UserRiskLevels                           = @();
        }

The operating system the target node is running

Office365

Version of the DSC module that was used ('dev' if using current dev branch)

PS C:\git\cyberforce\cloud-ms-365-dsc\tools> Get-Module Microsoft365DSC -ListAvailable | select ModuleBase, Version

ModuleBase                                                            Version
----------                                                            -------
C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.22.921.1 1.22.921.1

[andikrueger]

Based on the current documentation these values should still be supported. Could you test to set this property manually by calling Update-MgIdentityConditionalAccessPolicy?

https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.identity.signins/update-mgidentityconditionalaccesspolicy?view=graph-powershell-1.0

[Platforms <IMicrosoftGraphConditionalAccessPlatforms>]: conditionalAccessPlatforms
[(Any) <Object>]: This indicates any property can be added to this object.
[ExcludePlatforms <String[]>]: Possible values are: android, iOS, windows, windowsPhone, macOS, linux, all, unknownFutureValue.
[IncludePlatforms <String[]>]: Possible values are: android, iOS, windows, windowsPhone, macOS, linux, all, unknownFutureValue.

[mlhickey]

I assume you were hand-editing the config file to add the ExcludePlatforms properties. When you specify ExcludePlatforms via the portal, the default for IncludePlatforms becomes "all" (or selected platform), sending a null entry is likely generating the error.

[andikrueger]

@semangard Could you check if you configuration is working fine by adding "all" to IncludePlatforms? Thanks @mlhickey for this insight!

[semangard]

Hi @andikrueger

not better :

ExcludePlatforms                         = @("android", "iOS", "macOS", "linux");
IncludePlatforms                         = @("all");

does not work (for CA state = reporting mode):

[mlhickey]

Curious - Using 1.22.1005.1 I was able to replicate your error with an empty entry and resolve by adding "All" using the following based on your initial config:

AADConditionalAccessPolicy 57138c28-1e7a-4e5b-9f40-590a770b1df8
{
ApplicationEnforcedRestrictionsIsEnabled = $False;
BuiltInControls = @("mfa");
ClientAppTypes = @("all");
CloudAppSecurityIsEnabled = $False;
CloudAppSecurityType = "";
CustomAuthenticationFactors = @();
DeviceFilterRule = "";
DisplayName = "TEST-DSC: CA11a - Requirements for priority accounts (allow)";
Ensure = "Present";
ExcludeApplications = @();
ExcludeDevices = @();
ExcludeGroups = @("ExExcGroup");
ExcludeLocations = @();
ExcludePlatforms = @("android","iOS","macOS","linux");
ExcludeRoles = @();
ExcludeUsers = @();
GrantControlOperator = "AND";
Id = "892c3d45-8230-459a-a948-ef2ce67a0556";
IncludeApplications = @("All");
IncludeDevices = @();
IncludeGroups = @("ExIncGroup");
IncludeLocations = @();
IncludePlatforms = @("All");
IncludeRoles = @();
IncludeUserActions = @();
IncludeUsers = @();
Managedidentity = $True;
PersistentBrowserIsEnabled = $True;
PersistentBrowserMode = "never";
SignInFrequencyIsEnabled = $True;
SignInFrequencyType = "hours";
SignInFrequencyValue = 12;
SignInRiskLevels = @();
State = "enabledForReportingButNotEnforced";
TenantId = $ConfigurationData.NonNodeData.TenantId;
UserRiskLevels = @();
}
I assume your preprocessing of private variables is completing correctly?

[andikrueger]

@mlhickey thank you for the support with this issue!

@semangard please let us know, if the suggestions work. Please review the .mof file, if there are any issues with the „placeholders“ of yours.

[semangard]

@mlhickey / @andikrueger : well, here is my last piece of code tested (in UPDATE MODE) and I think I understood my issue:

AADConditionalAccessPolicy '20a' {
            ApplicationEnforcedRestrictionsIsEnabled = $False;
            BuiltInControls                          = @("approvedApplication", "compliantApplication");
            ClientAppTypes                           = @("all");
            CloudAppSecurityIsEnabled                = $False;
            CloudAppSecurityType                     = "";
            Credential                               = $CredsCredential;
            CustomAuthenticationFactors              = @();
            DeviceFilterRule                         = "";
            DisplayName                              = $CAPoliciesPrefix + "CA20a - Requirements for O365 on mobiles";
            Ensure                                   = $CAPoliciesEnsure;
            ExcludeApplications                      = @();
            ExcludeDevices                           = @();
            ExcludeGroups                            = @($excludeGroups);
            ExcludeLocations                         = @();
            #------------------------
            # ExcludePlatforms                         = @();
            ExcludePlatforms                         = @("android", "iOS", "macOS", "linux");
            #------------------------
            ExcludeRoles                             = @();
            ExcludeUsers                             = @();
            GrantControlOperator                     = "AND";
            IncludeApplications                      = @("Office365");
            IncludeDevices                           = @();
            IncludeGroups                            = @();
            IncludeLocations                         = @();
            #------------------------
            # IncludePlatforms                         = @();
            IncludePlatforms                         = @("android", "iOS");
            # IncludePlatforms                         = @("all");
            #------------------------           
            IncludeRoles                             = @();
            IncludeUserActions                       = @();
            IncludeUsers                             = $includeUsersAllOrScoped
            PersistentBrowserIsEnabled               = $False;
            PersistentBrowserMode                    = "";
            SignInFrequencyIsEnabled                 = $False;
            SignInFrequencyType                      = "";
            SignInRiskLevels                         = @();
            State                                    = $CAPoliciesState;
            UserRiskLevels                           = @();
        }

As you can see I tested various combinations with ExcludePlatforms and IncludePlatforms

=> Here are ONLY combinations which work:

ExcludePlatforms                         = @();
IncludePlatforms                         = @();

ExcludePlatforms                         = @();
IncludePlatforms                         = @("android", "iOS");

ExcludePlatforms                         = @("android", "iOS", "macOS", "linux");
IncludePlatforms                         = @("android", "iOS");

=> MAM policies ( BuiltInControls = @("approvedApplication") do not support includePlatforms = "All" and support only devices "android" and/or "iOS".

==> SO, it would be great if the tool could raise for MAM policies an explicit error at the compilation:
-> If IncludePlatforms are not compliant with MAM
-> If ExcludePlatforms are not set to @("android", "iOS", "macOS", "linux") when the CA state is "enabledForReportingButNotEnforced"

Note: I used variables just to factorize few things among conditional access policies and to easily switch the state from ON to OFF for ex

[mlhickey]

@semangard - makes sense. If you only specify the include set, exclude doesn't need to be evaluated. If you specify exclude, CA needs to know what the working set is that items are being excluded from, hence the default of All if you do this via the portal.