Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue when sync conditional access policy #4734

Closed
long199941hp opened this issue Jun 5, 2024 · 7 comments · Fixed by #4970 or #4998
Closed

Issue when sync conditional access policy #4734

long199941hp opened this issue Jun 5, 2024 · 7 comments · Fixed by #4970 or #4998
Labels
Entra ID Pending Information

Comments

@long199941hp
Copy link

long199941hp commented Jun 5, 2024
edited
Loading

Description of the issue

I ran the code successfully, but nothing was updated in my tenant.

Microsoft 365 DSC Version

1.24.529.1

Which workloads are affected

Azure Active Directory (Entra ID)

The DSC configuration

# Generated with Microsoft365DSC version 1.24.529.1
# For additional information on how to use Microsoft365DSC, please visit https://aka.ms/M365DSC
param (
    [parameter()]
    [System.Management.Automation.PSCredential]
    $Credential
)

Configuration M365TenantConfig
{
    param (
        [parameter()]
        [System.Management.Automation.PSCredential]
        $Credential
    )

    if ($null -eq $Credential)
    {
        <# Credentials #>
        $Credscredential = Get-Credential -Message "Credentials"

    }
    else
    {
        $CredsCredential = $Credential
    }

    $OrganizationName = $CredsCredential.UserName.Split('@')[1]

    Import-DscResource -ModuleName 'Microsoft365DSC' -ModuleVersion '1.24.529.1'

    Node localhost
    {
        AADConditionalAccessPolicy "AADConditionalAccessPolicy-Multifactor authentication for Microsoft partners and vendors"
        {
            ApplicationEnforcedRestrictionsIsEnabled = $False;
            AuthenticationContexts                   = @();
            BuiltInControls                          = @("mfa");
            ClientAppTypes                           = @("all");
            CloudAppSecurityIsEnabled                = $False;
            CloudAppSecurityType                     = "";
            Credential                               = $Credscredential;
            CustomAuthenticationFactors              = @();
            DeviceFilterRule                         = "";
            DisplayName                              = "Multifactor authentication for Microsoft partners and vendors";
            Ensure                                   = "Present";
            ExcludeApplications                      = @();
            ExcludeExternalTenantsMembers            = @();
            ExcludeExternalTenantsMembershipKind     = "";
            ExcludeGroups                            = @();
            ExcludeLocations                         = @();
            ExcludePlatforms                         = @();
            ExcludeRoles                             = @("Directory Synchronization Accounts");
            ExcludeUsers                             = @();
            GrantControlOperator                     = "OR";
            Id                                       = "238077a3-6148-40a5-96b2-fc7d45800a50";
            IncludeApplications                      = @("All");
            IncludeExternalTenantsMembers            = @();
            IncludeExternalTenantsMembershipKind     = "";
            IncludeGroups                            = @();
            IncludeLocations                         = @();
            IncludePlatforms                         = @();
            IncludeRoles                             = @();
            IncludeUserActions                       = @();
            IncludeUsers                             = @("All");
            PersistentBrowserIsEnabled               = $False;
            PersistentBrowserMode                    = "";
            SignInFrequencyIsEnabled                 = $False;
            SignInFrequencyType                      = "";
            SignInRiskLevels                         = @();
            State                                    = "enabled";
            TransferMethods                          = "";
            UserRiskLevels                           = @();
        }
        AADConditionalAccessPolicy "AADConditionalAccessPolicy-Test01"
        {
            ApplicationEnforcedRestrictionsIsEnabled = $False;
            AuthenticationContexts                   = @();
            BuiltInControls                          = @("mfa");
            ClientAppTypes                           = @("all");
            CloudAppSecurityIsEnabled                = $False;
            CloudAppSecurityType                     = "";
            Credential                               = $Credscredential;
            CustomAuthenticationFactors              = @();
            DeviceFilterRule                         = "";
            DisplayName                              = "Test01";
            Ensure                                   = "Present";
            ExcludeApplications                      = @();
            ExcludeExternalTenantsMembers            = @();
            ExcludeExternalTenantsMembershipKind     = "";
            ExcludeGroups                            = @();
            ExcludeLocations                         = @();
            ExcludePlatforms                         = @();
            ExcludeRoles                             = @();
            ExcludeUsers                             = @();
            GrantControlOperator                     = "OR";
            Id                                       = "942e6072-959a-4489-815c-5fe27da30769";
            IncludeApplications                      = @("None");
            IncludeExternalTenantsMembers            = @();
            IncludeExternalTenantsMembershipKind     = "";
            IncludeGroups                            = @();
            IncludeLocations                         = @();
            IncludePlatforms                         = @();
            IncludeRoles                             = @();
            IncludeUserActions                       = @();
            IncludeUsers                             = @("All");
            PersistentBrowserIsEnabled               = $False;
            PersistentBrowserMode                    = "";
            SignInFrequencyIsEnabled                 = $False;
            SignInFrequencyType                      = "";
            SignInRiskLevels                         = @();
            State                                    = "enabledForReportingButNotEnforced";
            TransferMethods                          = "";
            UserRiskLevels                           = @();
        }
        AADConditionalAccessPolicy "AADConditionalAccessPolicy-Test02"
        {
            ApplicationEnforcedRestrictionsIsEnabled = $False;
            AuthenticationContexts                   = @();
            BuiltInControls                          = @("mfa");
            ClientAppTypes                           = @("all");
            CloudAppSecurityIsEnabled                = $False;
            CloudAppSecurityType                     = "";
            Credential                               = $Credscredential;
            CustomAuthenticationFactors              = @();
            DeviceFilterRule                         = "";
            DisplayName                              = "Test02";
            Ensure                                   = "Present";
            ExcludeApplications                      = @();
            ExcludeExternalTenantsMembers            = @();
            ExcludeExternalTenantsMembershipKind     = "";
            ExcludeGroups                            = @();
            ExcludeLocations                         = @();
            ExcludePlatforms                         = @();
            ExcludeRoles                             = @();
            ExcludeUsers                             = @();
            GrantControlOperator                     = "OR";
            Id                                       = "11c46ce3-6955-4981-a3d4-1f9e17814977";
            IncludeApplications                      = @("None");
            IncludeExternalTenantsMembers            = @();
            IncludeExternalTenantsMembershipKind     = "";
            IncludeGroups                            = @();
            IncludeLocations                         = @();
            IncludePlatforms                         = @();
            IncludeRoles                             = @();
            IncludeUserActions                       = @();
            IncludeUsers                             = @("None");
            PersistentBrowserIsEnabled               = $False;
            PersistentBrowserMode                    = "";
            SignInFrequencyIsEnabled                 = $False;
            SignInFrequencyType                      = "";
            SignInRiskLevels                         = @();
            State                                    = "enabledForReportingButNotEnforced";
            TransferMethods                          = "";
            UserRiskLevels                           = @();
        }
        AADConditionalAccessPolicy "AADConditionalAccessPolicy-Test03"
        {
            ApplicationEnforcedRestrictionsIsEnabled = $False;
            AuthenticationContexts                   = @();
            BuiltInControls                          = @("mfa");
            ClientAppTypes                           = @("all");
            CloudAppSecurityIsEnabled                = $False;
            CloudAppSecurityType                     = "";
            Credential                               = $Credscredential;
            CustomAuthenticationFactors              = @();
            DeviceFilterRule                         = "";
            DisplayName                              = "Test03";
            Ensure                                   = "Present";
            ExcludeApplications                      = @();
            ExcludeExternalTenantsMembers            = @();
            ExcludeExternalTenantsMembershipKind     = "";
            ExcludeGroups                            = @();
            ExcludeLocations                         = @();
            ExcludePlatforms                         = @();
            ExcludeRoles                             = @();
            ExcludeUsers                             = @();
            GrantControlOperator                     = "OR";
            Id                                       = "9f18f450-ca9b-4b0a-9e94-3063722ba1ab";
            IncludeApplications                      = @("None");
            IncludeExternalTenantsMembers            = @();
            IncludeExternalTenantsMembershipKind     = "";
            IncludeGroups                            = @();
            IncludeLocations                         = @();
            IncludePlatforms                         = @();
            IncludeRoles                             = @();
            IncludeUserActions                       = @();
            IncludeUsers                             = @();
            PersistentBrowserIsEnabled               = $False;
            PersistentBrowserMode                    = "";
            SignInFrequencyIsEnabled                 = $False;
            SignInFrequencyType                      = "";
            SignInRiskLevels                         = @();
            State                                    = "enabledForReportingButNotEnforced";
            TransferMethods                          = "";
            UserRiskLevels                           = @();
        }
    }
}

M365TenantConfig -ConfigurationData .\ConfigurationData.psd1 -Credential $Credential

Verbose logs showing the problem

**********************
Windows PowerShell transcript start
Start time: 20240605162242
Username: LONG\dongn
RunAs User: LONG\dongn
Configuration Name: 
Machine: LONG (Microsoft Windows NT 10.0.22631.0)
Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe
Process ID: 2376
PSVersion: 5.1.22621.2506
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.22621.2506
BuildVersion: 10.0.22621.2506
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
Transcript started, output file is c:\001.txt
PS C:\ps> Start-DscConfiguration -Path "C:\PS\M365TenantConfig" -Wait -Verbose -Force
VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = SendConfigurationApply,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer LONG with user sid S-1-5-21-192617748-1530082012-1728050873-1001.
VERBOSE: [LONG]: LCM:  [ Start  Set      ]
VERBOSE: [LONG]: LCM:  [ Start  Resource ]  [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Multifactor authentication for Microsoft partners and vendors]
VERBOSE: [LONG]: LCM:  [ Start  Test     ]  [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Multifactor authentication for Microsoft partners and vendors]
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Multifactor authentication for Microsoft partners and vendors] Testing configuration of AzureAD CA Policies
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Multifactor authentication for Microsoft partners and vendors] Getting configuration of AzureAD Conditional Access Policy
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Multifactor authentication for Microsoft partners and vendors] PolicyID was specified
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Multifactor authentication for Microsoft partners and vendors] Couldn't find existing policy by ID {238077a3-6148-40a5-96b2-fc7d45800a50}
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Multifactor authentication for Microsoft partners and vendors] Get-TargetResource: Found existing Conditional Access policy
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Multifactor authentication for Microsoft partners and vendors] Get-TargetResource: Process IncludeUsers
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Multifactor authentication for Microsoft partners and vendors] Get-TargetResource: Process ExcludeUsers
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Multifactor authentication for Microsoft partners and vendors] Get-TargetResource: Process IncludeGroups
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Multifactor authentication for Microsoft partners and vendors] Get-TargetResource: Process ExcludeGroups
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Multifactor authentication for Microsoft partners and vendors] Get-TargetResource: Location condition defined, processing
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Multifactor authentication for Microsoft partners and vendors] Get-TargetResource: Processing IncludeLocations
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Multifactor authentication for Microsoft partners and vendors] Get-TargetResource: Processing ExcludeLocations
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Multifactor authentication for Microsoft partners and vendors] Get-TargetResource Result: 
 AccessTokens=$null
ApplicationEnforcedRestrictionsIsEnabled=False
ApplicationId=***
ApplicationSecret=$null
ApplicationsFilter=$null
ApplicationsFilterMode=$null
AuthenticationContexts=()
AuthenticationStrength=$null
BuiltInControls=(mfa)
CertificateThumbprint=***
ClientAppTypes=(all)
CloudAppSecurityIsEnabled=False
CloudAppSecurityType=
Credential=***
CustomAuthenticationFactors=()
DeviceFilterMode=
DeviceFilterRule=
DisplayName=Multifactor authentication for Microsoft partners and vendors
Ensure=Present
ExcludeApplications=()
ExcludeExternalTenantsMembers=()
ExcludeExternalTenantsMembershipKind=
ExcludeGroups=()
ExcludeGuestOrExternalUserTypes=$null
ExcludeLocations=()
ExcludePlatforms=()
ExcludeRoles=()
ExcludeUsers=()
GrantControlOperator=OR
Id=338f3dd3-82bd-4f88-8507-1c0cf3eeb9e4
IncludeApplications=(All)
IncludeExternalTenantsMembers=()
IncludeExternalTenantsMembershipKind=
IncludeGroups=()
IncludeGuestOrExternalUserTypes=$null
IncludeLocations=()
IncludePlatforms=()
IncludeRoles=()
IncludeUserActions=()
IncludeUsers=(None)
Managedidentity=False
PersistentBrowserIsEnabled=False
PersistentBrowserMode=
SignInFrequencyInterval=$null
SignInFrequencyIsEnabled=False
SignInFrequencyType=
SignInFrequencyValue=$null
SignInRiskLevels=()
State=enabledForReportingButNotEnforced
TenantId=***
TermsOfUse=$null
TransferMethods=
UserRiskLevels=()
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Multifactor authentication for Microsoft partners and vendors] Current Values: AccessTokens=$null
ApplicationEnforcedRestrictionsIsEnabled=False
ApplicationId=***
ApplicationSecret=$null
ApplicationsFilter=$null
ApplicationsFilterMode=$null
AuthenticationContexts=()
AuthenticationStrength=$null
BuiltInControls=(mfa)
CertificateThumbprint=***
ClientAppTypes=(all)
CloudAppSecurityIsEnabled=False
CloudAppSecurityType=
Credential=***
CustomAuthenticationFactors=()
DeviceFilterMode=
DeviceFilterRule=
DisplayName=Multifactor authentication for Microsoft partners and vendors
Ensure=Present
ExcludeApplications=()
ExcludeExternalTenantsMembers=()
ExcludeExternalTenantsMembershipKind=
ExcludeGroups=()
ExcludeGuestOrExternalUserTypes=$null
ExcludeLocations=()
ExcludePlatforms=()
ExcludeRoles=()
ExcludeUsers=()
GrantControlOperator=OR
Id=338f3dd3-82bd-4f88-8507-1c0cf3eeb9e4
IncludeApplications=(All)
IncludeExternalTenantsMembers=()
IncludeExternalTenantsMembershipKind=
IncludeGroups=()
IncludeGuestOrExternalUserTypes=$null
IncludeLocations=()
IncludePlatforms=()
IncludeRoles=()
IncludeUserActions=()
IncludeUsers=(None)
Managedidentity=False
PersistentBrowserIsEnabled=False
PersistentBrowserMode=
SignInFrequencyInterval=$null
SignInFrequencyIsEnabled=False
SignInFrequencyType=
SignInFrequencyValue=$null
SignInRiskLevels=()
State=enabledForReportingButNotEnforced
TenantId=***
TermsOfUse=$null
TransferMethods=
UserRiskLevels=()
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Multifactor authentication for Microsoft partners and vendors] Target Values: ApplicationEnforcedRestrictionsIsEnabled=False
AuthenticationContexts=()
BuiltInControls=(mfa)
ClientAppTypes=(all)
CloudAppSecurityIsEnabled=False
CloudAppSecurityType=
Credential=***
CustomAuthenticationFactors=()
DeviceFilterRule=
DisplayName=Multifactor authentication for Microsoft partners and vendors
Ensure=Present
ExcludeApplications=()
ExcludeExternalTenantsMembers=()
ExcludeExternalTenantsMembershipKind=
ExcludeGroups=()
ExcludeLocations=()
ExcludePlatforms=()
ExcludeRoles=(Directory Synchronization Accounts)
ExcludeUsers=()
GrantControlOperator=OR
Id=238077a3-6148-40a5-96b2-fc7d45800a50
IncludeApplications=(All)
IncludeExternalTenantsMembers=()
IncludeExternalTenantsMembershipKind=
IncludeGroups=()
IncludeLocations=()
IncludePlatforms=()
IncludeRoles=()
IncludeUserActions=()
IncludeUsers=(All)
PersistentBrowserIsEnabled=False
PersistentBrowserMode=
SignInFrequencyIsEnabled=False
SignInFrequencyType=
SignInRiskLevels=()
State=enabled
TransferMethods=
UserRiskLevels=()
Verbose=True
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Multifactor authentication for Microsoft partners and vendors] Test-TargetResource returned False
VERBOSE: [LONG]: LCM:  [ End    Test     ]  [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Multifactor authentication for Microsoft partners and vendors]  in 14.5240 seconds.
VERBOSE: [LONG]: LCM:  [ Start  Set      ]  [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Multifactor authentication for Microsoft partners and vendors]
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Multifactor authentication for Microsoft partners and vendors] Setting configuration of AzureAD Conditional Access Policy
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Multifactor authentication for Microsoft partners and vendors] Set-Targetresource: Running Get-TargetResource
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Multifactor authentication for Microsoft partners and vendors] Getting configuration of AzureAD Conditional Access Policy
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Multifactor authentication for Microsoft partners and vendors] PolicyID was specified
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Multifactor authentication for Microsoft partners and vendors] Couldn't find existing policy by ID {238077a3-6148-40a5-96b2-fc7d45800a50}
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Multifactor authentication for Microsoft partners and vendors] Get-TargetResource: Found existing Conditional Access policy
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Multifactor authentication for Microsoft partners and vendors] Get-TargetResource: Process IncludeUsers
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Multifactor authentication for Microsoft partners and vendors] Get-TargetResource: Process ExcludeUsers
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Multifactor authentication for Microsoft partners and vendors] Get-TargetResource: Process IncludeGroups
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Multifactor authentication for Microsoft partners and vendors] Get-TargetResource: Process ExcludeGroups
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Multifactor authentication for Microsoft partners and vendors] Get-TargetResource: Location condition defined, processing
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Multifactor authentication for Microsoft partners and vendors] Get-TargetResource: Processing IncludeLocations
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Multifactor authentication for Microsoft partners and vendors] Get-TargetResource: Processing ExcludeLocations
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Multifactor authentication for Microsoft partners and vendors] Get-TargetResource Result: 
 AccessTokens=$null
ApplicationEnforcedRestrictionsIsEnabled=False
ApplicationId=***
ApplicationSecret=$null
ApplicationsFilter=$null
ApplicationsFilterMode=$null
AuthenticationContexts=()
AuthenticationStrength=$null
BuiltInControls=(mfa)
CertificateThumbprint=***
ClientAppTypes=(all)
CloudAppSecurityIsEnabled=False
CloudAppSecurityType=
Credential=***
CustomAuthenticationFactors=()
DeviceFilterMode=
DeviceFilterRule=
DisplayName=Multifactor authentication for Microsoft partners and vendors
Ensure=Present
ExcludeApplications=()
ExcludeExternalTenantsMembers=()
ExcludeExternalTenantsMembershipKind=
ExcludeGroups=()
ExcludeGuestOrExternalUserTypes=$null
ExcludeLocations=()
ExcludePlatforms=()
ExcludeRoles=()
ExcludeUsers=()
GrantControlOperator=OR
Id=338f3dd3-82bd-4f88-8507-1c0cf3eeb9e4
IncludeApplications=(All)
IncludeExternalTenantsMembers=()
IncludeExternalTenantsMembershipKind=
IncludeGroups=()
IncludeGuestOrExternalUserTypes=$null
IncludeLocations=()
IncludePlatforms=()
IncludeRoles=()
IncludeUserActions=()
IncludeUsers=(None)
Managedidentity=False
PersistentBrowserIsEnabled=False
PersistentBrowserMode=
SignInFrequencyInterval=$null
SignInFrequencyIsEnabled=False
SignInFrequencyType=
SignInFrequencyValue=$null
SignInRiskLevels=()
State=enabledForReportingButNotEnforced
TenantId=***
TermsOfUse=$null
TransferMethods=
UserRiskLevels=()
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Multifactor authentication for Microsoft partners and vendors] Set-Targetresource: Cleaning up parameters
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Multifactor authentication for Microsoft partners and vendors] Set-Targetresource: Policy Multifactor authentication for Microsoft partners and vendors Ensure Present
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Multifactor authentication for Microsoft partners and vendors] Set-Targetresource: create Conditions object
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Multifactor authentication for Microsoft partners and vendors] Set-Targetresource: create Application Condition object
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Multifactor authentication for Microsoft partners and vendors] Set-Targetresource: process includeusers
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Multifactor authentication for Microsoft partners and vendors] Set-Targetresource: process excludeusers
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Multifactor authentication for Microsoft partners and vendors] Set-Targetresource: process includegroups
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Multifactor authentication for Microsoft partners and vendors] Set-Targetresource: process excludegroups
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Multifactor authentication for Microsoft partners and vendors] Set-Targetresource: process includeroles
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Multifactor authentication for Microsoft partners and vendors] Set-Targetresource: process excluderoles
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Multifactor authentication for Microsoft partners and vendors] Set-Targetresource: process includeGuestOrExternalUser
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Multifactor authentication for Microsoft partners and vendors] Set-Targetresource: process excludeGuestsOrExternalUsers
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Multifactor authentication for Microsoft partners and vendors] Set-Targetresource: process platform condition
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Multifactor authentication for Microsoft partners and vendors] Set-Targetresource: setting platform condition to null
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Multifactor authentication for Microsoft partners and vendors] Set-Targetresource: process include and exclude locations
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Multifactor authentication for Microsoft partners and vendors] Set-Targetresource: process device filter
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Multifactor authentication for Microsoft partners and vendors] Set-Targetresource: process risk levels and app types
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Multifactor authentication for Microsoft partners and vendors] Set-Targetresource: UserRiskLevels:
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Multifactor authentication for Microsoft partners and vendors] Set-Targetresource: SignInRiskLevels:
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Multifactor authentication for Microsoft partners and vendors] Set-Targetresource: ClientAppTypes: all
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Multifactor authentication for Microsoft partners and vendors] Set-Targetresource: authenticationFlows transferMethods:
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Multifactor authentication for Microsoft partners and vendors] Set-Targetresource: Adding processed conditions
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Multifactor authentication for Microsoft partners and vendors] Set-Targetresource: create and provision Grant Control object
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Multifactor authentication for Microsoft partners and vendors] Set-Targetresource: Adding processed grant controls
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Multifactor authentication for Microsoft partners and vendors] Set-Targetresource: process session controls
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Multifactor authentication for Microsoft partners and vendors] Set-Targetresource: Change policy Multifactor authentication for Microsoft partners and vendors
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Multifactor authentication for Microsoft partners and vendors] Updating existing policy with values: ConditionalAccessPolicyId=338f3dd3-82bd-4f88-8507-1c0cf3eeb9e4
conditions={applications={excludeApplications=()
includeApplications=(All)}
authenticationFlows={transferMethods=}
clientAppTypes=(all)
platforms=$null
signInRiskLevels=()
userRiskLevels=()
users={excludeGroups=()
excludeRoles=(d29b2b05-8046-44ba-8758-1e26182fcf32)
excludeUsers=()
includeGroups=()
includeRoles=()
includeUsers=(All)}}
displayName=Multifactor authentication for Microsoft partners and vendors
grantControls={builtInControls=(mfa)
operator=OR}
sessionControls=$null
state=enabled
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Multifactor authentication for Microsoft partners and vendors] PATCH https://graph.microsoft.com/beta/identity/conditionalAccess/policies/338f3dd3-82bd-4f88-8507-1c0cf3eeb9e4 with 626-byte payload
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Multifactor authentication for Microsoft partners and vendors] received 547-byte response of content type application/json
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Multifactor authentication for Microsoft partners and vendors] Set-Targetresource: Failed change policy Multifactor authentication for Microsoft partners and vendors
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Multifactor authentication for Microsoft partners and vendors] Set-Targetresource: Finished processing Policy Multifactor authentication for Microsoft partners and vendors
VERBOSE: [LONG]: LCM:  [ End    Set      ]  [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Multifactor authentication for Microsoft partners and vendors]  in 10.5570 seconds.
VERBOSE: [LONG]: LCM:  [ End    Resource ]  [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Multifactor authentication for Microsoft partners and vendors]
VERBOSE: [LONG]: LCM:  [ Start  Resource ]  [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test01]
VERBOSE: [LONG]: LCM:  [ Start  Test     ]  [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test01]
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test01] Testing configuration of AzureAD CA Policies
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test01] Getting configuration of AzureAD Conditional Access Policy
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test01] PolicyID was specified
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test01] Couldn't find existing policy by ID {942e6072-959a-4489-815c-5fe27da30769}
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test01] No existing Policy with name {Test01} were found
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test01] Current Values: ApplicationEnforcedRestrictionsIsEnabled=False
AuthenticationContexts=()
BuiltInControls=(mfa)
ClientAppTypes=(all)
CloudAppSecurityIsEnabled=False
CloudAppSecurityType=
Credential=***
CustomAuthenticationFactors=()
DeviceFilterRule=
DisplayName=Test01
Ensure=Absent
ExcludeApplications=()
ExcludeExternalTenantsMembers=()
ExcludeExternalTenantsMembershipKind=
ExcludeGroups=()
ExcludeLocations=()
ExcludePlatforms=()
ExcludeRoles=()
ExcludeUsers=()
GrantControlOperator=OR
Id=942e6072-959a-4489-815c-5fe27da30769
IncludeApplications=(None)
IncludeExternalTenantsMembers=()
IncludeExternalTenantsMembershipKind=
IncludeGroups=()
IncludeLocations=()
IncludePlatforms=()
IncludeRoles=()
IncludeUserActions=()
IncludeUsers=(All)
PersistentBrowserIsEnabled=False
PersistentBrowserMode=
SignInFrequencyIsEnabled=False
SignInFrequencyType=
SignInRiskLevels=()
State=enabledForReportingButNotEnforced
TransferMethods=
UserRiskLevels=()
Verbose=True
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test01] Target Values: ApplicationEnforcedRestrictionsIsEnabled=False
AuthenticationContexts=()
BuiltInControls=(mfa)
ClientAppTypes=(all)
CloudAppSecurityIsEnabled=False
CloudAppSecurityType=
Credential=***
CustomAuthenticationFactors=()
DeviceFilterRule=
DisplayName=Test01
Ensure=Present
ExcludeApplications=()
ExcludeExternalTenantsMembers=()
ExcludeExternalTenantsMembershipKind=
ExcludeGroups=()
ExcludeLocations=()
ExcludePlatforms=()
ExcludeRoles=()
ExcludeUsers=()
GrantControlOperator=OR
Id=942e6072-959a-4489-815c-5fe27da30769
IncludeApplications=(None)
IncludeExternalTenantsMembers=()
IncludeExternalTenantsMembershipKind=
IncludeGroups=()
IncludeLocations=()
IncludePlatforms=()
IncludeRoles=()
IncludeUserActions=()
IncludeUsers=(All)
PersistentBrowserIsEnabled=False
PersistentBrowserMode=
SignInFrequencyIsEnabled=False
SignInFrequencyType=
SignInRiskLevels=()
State=enabledForReportingButNotEnforced
TransferMethods=
UserRiskLevels=()
Verbose=True
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test01] Test-TargetResource returned False
VERBOSE: [LONG]: LCM:  [ End    Test     ]  [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test01]  in 2.7230 seconds.
VERBOSE: [LONG]: LCM:  [ Start  Set      ]  [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test01]
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test01] Setting configuration of AzureAD Conditional Access Policy
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test01] Set-Targetresource: Running Get-TargetResource
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test01] Getting configuration of AzureAD Conditional Access Policy
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test01] PolicyID was specified
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test01] Couldn't find existing policy by ID {942e6072-959a-4489-815c-5fe27da30769}
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test01] No existing Policy with name {Test01} were found
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test01] Set-Targetresource: Cleaning up parameters
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test01] Set-Targetresource: Policy Test01 Ensure Present
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test01] Set-Targetresource: create Conditions object
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test01] Set-Targetresource: create Application Condition object
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test01] Set-Targetresource: process includeusers
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test01] Set-Targetresource: process excludeusers
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test01] Set-Targetresource: process includegroups
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test01] Set-Targetresource: process excludegroups
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test01] Set-Targetresource: process includeroles
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test01] Set-Targetresource: process excluderoles
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test01] Set-Targetresource: process includeGuestOrExternalUser
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test01] Set-Targetresource: process excludeGuestsOrExternalUsers
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test01] Set-Targetresource: process platform condition
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test01] Set-Targetresource: setting platform condition to null
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test01] Set-Targetresource: process include and exclude locations
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test01] Set-Targetresource: process device filter
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test01] Set-Targetresource: process risk levels and app types
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test01] Set-Targetresource: UserRiskLevels:
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test01] Set-Targetresource: SignInRiskLevels:
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test01] Set-Targetresource: ClientAppTypes: all
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test01] Set-Targetresource: authenticationFlows transferMethods:
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test01] Set-Targetresource: Adding processed conditions
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test01] Set-Targetresource: create and provision Grant Control object
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test01] Set-Targetresource: Adding processed grant controls
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test01] Set-Targetresource: process session controls
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test01] Set-Targetresource: create policy Test01
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test01] Create Parameters:
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test01] conditions={applications={excludeApplications=()
includeApplications=(None)}
authenticationFlows={transferMethods=}
clientAppTypes=(all)
platforms=$null
signInRiskLevels=()
userRiskLevels=()
users={excludeGroups=()
excludeRoles=()
excludeUsers=()
includeGroups=()
includeRoles=()
includeUsers=(All)}}
displayName=Test01
grantControls={builtInControls=(mfa)
operator=OR}
sessionControls=$null
state=enabledForReportingButNotEnforced
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test01] POST https://graph.microsoft.com/beta/identity/conditionalAccess/policies with 493-byte payload
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test01] received 552-byte response of content type application/json
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test01] Set-Targetresource: Failed creating new policy
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test01] Set-Targetresource: Finished processing Policy Test01
VERBOSE: [LONG]: LCM:  [ End    Set      ]  [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test01]  in 3.0810 seconds.
VERBOSE: [LONG]: LCM:  [ End    Resource ]  [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test01]
VERBOSE: [LONG]: LCM:  [ Start  Resource ]  [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test02]
VERBOSE: [LONG]: LCM:  [ Start  Test     ]  [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test02]
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test02] Testing configuration of AzureAD CA Policies
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test02] Getting configuration of AzureAD Conditional Access Policy
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test02] PolicyID was specified
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test02] Couldn't find existing policy by ID {11c46ce3-6955-4981-a3d4-1f9e17814977}
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test02] No existing Policy with name {Test02} were found
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test02] Current Values: ApplicationEnforcedRestrictionsIsEnabled=False
AuthenticationContexts=()
BuiltInControls=(mfa)
ClientAppTypes=(all)
CloudAppSecurityIsEnabled=False
CloudAppSecurityType=
Credential=***
CustomAuthenticationFactors=()
DeviceFilterRule=
DisplayName=Test02
Ensure=Absent
ExcludeApplications=()
ExcludeExternalTenantsMembers=()
ExcludeExternalTenantsMembershipKind=
ExcludeGroups=()
ExcludeLocations=()
ExcludePlatforms=()
ExcludeRoles=()
ExcludeUsers=()
GrantControlOperator=OR
Id=11c46ce3-6955-4981-a3d4-1f9e17814977
IncludeApplications=(None)
IncludeExternalTenantsMembers=()
IncludeExternalTenantsMembershipKind=
IncludeGroups=()
IncludeLocations=()
IncludePlatforms=()
IncludeRoles=()
IncludeUserActions=()
IncludeUsers=(None)
PersistentBrowserIsEnabled=False
PersistentBrowserMode=
SignInFrequencyIsEnabled=False
SignInFrequencyType=
SignInRiskLevels=()
State=enabledForReportingButNotEnforced
TransferMethods=
UserRiskLevels=()
Verbose=True
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test02] Target Values: ApplicationEnforcedRestrictionsIsEnabled=False
AuthenticationContexts=()
BuiltInControls=(mfa)
ClientAppTypes=(all)
CloudAppSecurityIsEnabled=False
CloudAppSecurityType=
Credential=***
CustomAuthenticationFactors=()
DeviceFilterRule=
DisplayName=Test02
Ensure=Present
ExcludeApplications=()
ExcludeExternalTenantsMembers=()
ExcludeExternalTenantsMembershipKind=
ExcludeGroups=()
ExcludeLocations=()
ExcludePlatforms=()
ExcludeRoles=()
ExcludeUsers=()
GrantControlOperator=OR
Id=11c46ce3-6955-4981-a3d4-1f9e17814977
IncludeApplications=(None)
IncludeExternalTenantsMembers=()
IncludeExternalTenantsMembershipKind=
IncludeGroups=()
IncludeLocations=()
IncludePlatforms=()
IncludeRoles=()
IncludeUserActions=()
IncludeUsers=(None)
PersistentBrowserIsEnabled=False
PersistentBrowserMode=
SignInFrequencyIsEnabled=False
SignInFrequencyType=
SignInRiskLevels=()
State=enabledForReportingButNotEnforced
TransferMethods=
UserRiskLevels=()
Verbose=True
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test02] Test-TargetResource returned False
VERBOSE: [LONG]: LCM:  [ End    Test     ]  [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test02]  in 2.3180 seconds.
VERBOSE: [LONG]: LCM:  [ Start  Set      ]  [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test02]
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test02] Setting configuration of AzureAD Conditional Access Policy
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test02] Set-Targetresource: Running Get-TargetResource
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test02] Getting configuration of AzureAD Conditional Access Policy
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test02] PolicyID was specified
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test02] Couldn't find existing policy by ID {11c46ce3-6955-4981-a3d4-1f9e17814977}
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test02] No existing Policy with name {Test02} were found
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test02] Set-Targetresource: Cleaning up parameters
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test02] Set-Targetresource: Policy Test02 Ensure Present
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test02] Set-Targetresource: create Conditions object
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test02] Set-Targetresource: create Application Condition object
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test02] Set-Targetresource: process includeusers
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test02] Set-Targetresource: process excludeusers
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test02] Set-Targetresource: process includegroups
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test02] Set-Targetresource: process excludegroups
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test02] Set-Targetresource: process includeroles
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test02] Set-Targetresource: process excluderoles
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test02] Set-Targetresource: process includeGuestOrExternalUser
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test02] Set-Targetresource: process excludeGuestsOrExternalUsers
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test02] Set-Targetresource: process platform condition
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test02] Set-Targetresource: setting platform condition to null
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test02] Set-Targetresource: process include and exclude locations
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test02] Set-Targetresource: process device filter
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test02] Set-Targetresource: process risk levels and app types
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test02] Set-Targetresource: UserRiskLevels:
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test02] Set-Targetresource: SignInRiskLevels:
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test02] Set-Targetresource: ClientAppTypes: all
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test02] Set-Targetresource: authenticationFlows transferMethods:
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test02] Set-Targetresource: Adding processed conditions
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test02] Set-Targetresource: create and provision Grant Control object
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test02] Set-Targetresource: Adding processed grant controls
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test02] Set-Targetresource: process session controls
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test02] Set-Targetresource: create policy Test02
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test02] Create Parameters:
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test02] conditions={applications={excludeApplications=()
includeApplications=(None)}
authenticationFlows={transferMethods=}
clientAppTypes=(all)
platforms=$null
signInRiskLevels=()
userRiskLevels=()
users={excludeGroups=()
excludeRoles=()
excludeUsers=()
includeGroups=()
includeRoles=()
includeUsers=(None)}}
displayName=Test02
grantControls={builtInControls=(mfa)
operator=OR}
sessionControls=$null
state=enabledForReportingButNotEnforced
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test02] POST https://graph.microsoft.com/beta/identity/conditionalAccess/policies with 494-byte payload
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test02] received 552-byte response of content type application/json
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test02] Set-Targetresource: Failed creating new policy
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test02] Set-Targetresource: Finished processing Policy Test02
VERBOSE: [LONG]: LCM:  [ End    Set      ]  [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test02]  in 3.0510 seconds.
VERBOSE: [LONG]: LCM:  [ End    Resource ]  [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test02]
VERBOSE: [LONG]: LCM:  [ Start  Resource ]  [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test03]
VERBOSE: [LONG]: LCM:  [ Start  Test     ]  [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test03]
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test03] Testing configuration of AzureAD CA Policies
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test03] Getting configuration of AzureAD Conditional Access Policy
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test03] PolicyID was specified
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test03] Couldn't find existing policy by ID {9f18f450-ca9b-4b0a-9e94-3063722ba1ab}
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test03] No existing Policy with name {Test03} were found
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test03] Current Values: ApplicationEnforcedRestrictionsIsEnabled=False
AuthenticationContexts=()
BuiltInControls=(mfa)
ClientAppTypes=(all)
CloudAppSecurityIsEnabled=False
CloudAppSecurityType=
Credential=***
CustomAuthenticationFactors=()
DeviceFilterRule=
DisplayName=Test03
Ensure=Absent
ExcludeApplications=()
ExcludeExternalTenantsMembers=()
ExcludeExternalTenantsMembershipKind=
ExcludeGroups=()
ExcludeLocations=()
ExcludePlatforms=()
ExcludeRoles=()
ExcludeUsers=()
GrantControlOperator=OR
Id=9f18f450-ca9b-4b0a-9e94-3063722ba1ab
IncludeApplications=(None)
IncludeExternalTenantsMembers=()
IncludeExternalTenantsMembershipKind=
IncludeGroups=()
IncludeLocations=()
IncludePlatforms=()
IncludeRoles=()
IncludeUserActions=()
IncludeUsers=()
PersistentBrowserIsEnabled=False
PersistentBrowserMode=
SignInFrequencyIsEnabled=False
SignInFrequencyType=
SignInRiskLevels=()
State=enabledForReportingButNotEnforced
TransferMethods=
UserRiskLevels=()
Verbose=True
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test03] Target Values: ApplicationEnforcedRestrictionsIsEnabled=False
AuthenticationContexts=()
BuiltInControls=(mfa)
ClientAppTypes=(all)
CloudAppSecurityIsEnabled=False
CloudAppSecurityType=
Credential=***
CustomAuthenticationFactors=()
DeviceFilterRule=
DisplayName=Test03
Ensure=Present
ExcludeApplications=()
ExcludeExternalTenantsMembers=()
ExcludeExternalTenantsMembershipKind=
ExcludeGroups=()
ExcludeLocations=()
ExcludePlatforms=()
ExcludeRoles=()
ExcludeUsers=()
GrantControlOperator=OR
Id=9f18f450-ca9b-4b0a-9e94-3063722ba1ab
IncludeApplications=(None)
IncludeExternalTenantsMembers=()
IncludeExternalTenantsMembershipKind=
IncludeGroups=()
IncludeLocations=()
IncludePlatforms=()
IncludeRoles=()
IncludeUserActions=()
IncludeUsers=()
PersistentBrowserIsEnabled=False
PersistentBrowserMode=
SignInFrequencyIsEnabled=False
SignInFrequencyType=
SignInRiskLevels=()
State=enabledForReportingButNotEnforced
TransferMethods=
UserRiskLevels=()
Verbose=True
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test03] Test-TargetResource returned False
VERBOSE: [LONG]: LCM:  [ End    Test     ]  [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test03]  in 2.6700 seconds.
VERBOSE: [LONG]: LCM:  [ Start  Set      ]  [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test03]
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test03] Setting configuration of AzureAD Conditional Access Policy
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test03] Set-Targetresource: Running Get-TargetResource
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test03] Getting configuration of AzureAD Conditional Access Policy
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test03] PolicyID was specified
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test03] Couldn't find existing policy by ID {9f18f450-ca9b-4b0a-9e94-3063722ba1ab}
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test03] No existing Policy with name {Test03} were found
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test03] Set-Targetresource: Cleaning up parameters
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test03] Set-Targetresource: Policy Test03 Ensure Present
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test03] Set-Targetresource: create Conditions object
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test03] Set-Targetresource: create Application Condition object
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test03] Set-Targetresource: process includeusers
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test03] Set-Targetresource: process excludeusers
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test03] Set-Targetresource: process includegroups
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test03] Set-Targetresource: process excludegroups
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test03] Set-Targetresource: process includeroles
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test03] Set-Targetresource: process excluderoles
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test03] Set-Targetresource: process includeGuestOrExternalUser
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test03] Set-Targetresource: process excludeGuestsOrExternalUsers
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test03] Set-Targetresource: process platform condition
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test03] Set-Targetresource: setting platform condition to null
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test03] Set-Targetresource: process include and exclude locations
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test03] Set-Targetresource: process device filter
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test03] Set-Targetresource: process risk levels and app types
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test03] Set-Targetresource: UserRiskLevels:
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test03] Set-Targetresource: SignInRiskLevels:
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test03] Set-Targetresource: ClientAppTypes: all
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test03] Set-Targetresource: authenticationFlows transferMethods:
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test03] Set-Targetresource: Adding processed conditions
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test03] Set-Targetresource: create and provision Grant Control object
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test03] Set-Targetresource: Adding processed grant controls
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test03] Set-Targetresource: process session controls
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test03] Set-Targetresource: create policy Test03
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test03] Create Parameters:
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test03] conditions={applications={excludeApplications=()
includeApplications=(None)}
authenticationFlows={transferMethods=}
clientAppTypes=(all)
platforms=$null
signInRiskLevels=()
userRiskLevels=()
users={excludeGroups=()
excludeRoles=()
excludeUsers=()
includeGroups=()
includeRoles=()
includeUsers=()}}
displayName=Test03
grantControls={builtInControls=(mfa)
operator=OR}
sessionControls=$null
state=enabledForReportingButNotEnforced
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test03] POST https://graph.microsoft.com/beta/identity/conditionalAccess/policies with 488-byte payload
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test03] received 552-byte response of content type application/json
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test03] Set-Targetresource: Failed creating new policy
VERBOSE: [LONG]:                            [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test03] Set-Targetresource: Finished processing Policy Test03
VERBOSE: [LONG]: LCM:  [ End    Set      ]  [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test03]  in 3.1280 seconds.
VERBOSE: [LONG]: LCM:  [ End    Resource ]  [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-Test03]
WARNING: Falling back to the previous MOF file or system defaults because the meta configuration mof does not exist or has either been corrupted or an invalid mof property has been set.
VERBOSE: [LONG]: LCM:  [ End    Set      ]
VERBOSE: [LONG]: LCM:  [ End    Set      ]    in  42.3880 seconds.
VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 42.472 seconds
PS C:\ps> Stop-Transcript
**********************
Windows PowerShell transcript end
End time: 20240605162350
**********************

Environment Information + PowerShell Version

PS C:\Windows\system32> Get-ComputerInfo -Property @(
'OsName',
'OsOperatingSystemSKU',
'OSArchitecture',
'WindowsVersion',
'WindowsBuildLabEx',
'OsLanguage',
'OsMuiLanguages')


OsName               : Microsoft Windows 11 Pro
OsOperatingSystemSKU : 48
OsArchitecture       : 64-bit
WindowsVersion       : 2009
WindowsBuildLabEx    : 22621.1.amd64fre.ni_release.220506-1250
OsLanguage           : en-US
OsMuiLanguages       : {en-US}



PS C:\Windows\system32> $PSVersionTable

Name                           Value
----                           -----
PSVersion                      5.1.22621.2506
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.22621.2506
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Tasks
Preview Give feedback
No tasks being tracked yet.
@andikrueger
Copy link
Collaborator

Does your tenant have at least one Entra ID P1 or P2 license to enable Conditional Access?

@ricmestre
Copy link
Contributor

@andikrueger If you look closely the deployment is actually failing for all resources with "Set-Targetresource: Failed creating new policy", the same issue has been reported already on #4725 and doesn't look like a licensing issue since this was working before.

@long199941hp
Copy link
Author

Before deploying in my company tenant, I test this function in the Microsoft CDX tenant. I have license M365 E5.

@long199941hp
Copy link
Author

long199941hp commented Jun 7, 2024
edited
Loading

In my event viewer, log reports:
"Error creating new policy:

{ Response status code does not indicate success: BadRequest (Bad Request). } \ at Set-TargetResource, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.24.529.1\DscResources\MSFT_AADConditionalAccessPolicy\MSFT_AADConditionalAccessPolicy.psm1: line 1682"

And in line 1655 in MSFT_AADConditionalAccessPolicy.psm1 I found that Conditional use " $NewParameters.Add('ConditionalAccessPolicyId', $currentPolicy.Id)"

But in Microsoft graph document, It does not have "ConditionalAccessPolicyId", It only has "Id". I try to fix but it not work

@vinam779
Copy link

vinam779 commented Jun 7, 2024

hello,
I am facing the same error when trying to make a start-dscconfiguration with my MOF file.
Error creating new policy:
{ Response status code does not indicate success: BadRequest (Bad Request). } \ at Set-TargetResource, C:\Program Files\WindowsPowerShell\Modules\Microsoft365dsc\1.24.522.1\DscResources\MSFT_AADConditionalAccessPolicy\MSFT_AADConditionalAccessPolicy.psm1: line 1682

I have one computer with module Microsoft365dsc version 1.24.522.1. I have update the Microsoft365dsc recently.
And I have another computer on which I did not updated recently and it is using module version 1.24.228.1.
With version 1.24.228.1, everything is working fine for EntraID ConditionAccess, I can created and update conditionalAccess from MOF file without error.
But with version 1.24.522.1, creation and update of conditionalAccess does not work anymore.
The DSC agent verbose log does not output any error, it seems that everything is working fine. But when checking the conditionalAccess M365 console, nothing changed. And looking at eventlog, there is this error "BadRequest".
It seems that since update of Microsoft365DSC, some functionality for conditionalaccess are not working anymore.
Moreover, I can see that there are new option for "TransferMethods" in conditionaccess setting has been added.

Does any one manage to create and update conditionalAccess object with version 1.24.522.1 and earlier version ?
Regards

@vinam779
Copy link

vinam779 commented Jun 7, 2024

hello, One update from my end.
M365DSC deployment is successfull by removing from the MOF file, the line corresponding:
TransferMethods = "";

The M365DSC team has switched from "Update-MgBetaIdentityConditionalAccessPolicy" to Invoke-MgGraphRequest.
There maybe some fine tuning to do with this new property TransferMethods on $newparameters variable.
Great job to the team by the way.
Regards
Vi-Nam

@dhuntingopr
Copy link

I can confirm that removing the TransferMethods= ""; does in fact correct the issue

@FabienTschanz FabienTschanz mentioned this issue Aug 19, 2024
Merged
@NikCharlebois NikCharlebois mentioned this issue Aug 29, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Entra ID Pending Information
Projects
None yet
Milestone
No milestone
5 participants
@andikrueger @long199941hp @ricmestre @vinam779 @dhuntingopr