AADConditionalAccessPolicy - BUG - Malformed PATCH Request MSGraph

[pangjaa]

Description of the issue

After updating to DSC from 1.24.1016.1, I am unable to update Conditional Access Policies provisioned through DSC. Looking at the changelog for [1.24.1106.3(]https://github.com/microsoft/Microsoft365DSC/releases/tag/1.24.1106.3), InsiderRiskLevels was recently added.

Looking at DSC ETW logs, I see that it is passed as an empty string: "insiderRiskLevels": "", in the json body. I believe that this value must be minor, moderate, elevated, or unknownFutureValue per https://learn.microsoft.com/en-us/graph/api/resources/conditionalaccessconditionset?view=graph-rest-beta

{
    "displayName": "Block Access Except",
    "sessionControls": null,
    "ConditionalAccessPolicyId": "<policy-guid>",
    "state": "enabled",
    "conditions": {
        "clientAppTypes": [
            "all"
        ],
        "signInRiskLevels": [],
        "users": {
            "excludeRoles": [],
            "includeRoles": [],
            "excludeUsers": [
                "<guid>",
            ],
            "includeUsers": [
                "All"
            ],
            "includeGroups": [],
            "excludeGroups": [
                "<guid>"
            ]
        },
        "platforms": null,
        "insiderRiskLevels": "",
        "userRiskLevels": [],
        "applications": {
            "includeApplications": [
                "MicrosoftAdminPortals"
            ]
        }
    },
    "grantControls": {
        "builtInControls": [
            "block"
        ],
        "operator": "OR"
    }
}

Microsoft 365 DSC Version

1.24.1106.3

Which workloads are affected

Azure Active Directory (Entra ID)

The DSC configuration

Verbose logs showing the problem

{
    "error": {
        "code": "BadRequest",
        "message": "The server could not process the request because it is malformed or incorrect.",
        "innerError": {
            "message": "1007: Incoming ConditionalAccessPolicy object is null or does not match the schema of ConditionalAccessPolicy type. For examples, please see API documentation at https://docs.microsoft.com/en-us/graph/api/conditionalaccesspolicy-update?view=graph-rest-beta.",
            "date": "2024-11-11T18:16:29",
            "request-id": "20dfef48-1af7-4374-adbe-317b9c171157",
            "client-request-id": "546a13c4-180a-4bd4-89ec-d0153d527f9a"
        }
    }
}

Environment Information + PowerShell Version

OsName               : Microsoft Windows Server 2022 Datacenter
OsOperatingSystemSKU : DatacenterServerEdition
OsArchitecture       : 64-bit
WindowsVersion       : 2009
WindowsBuildLabEx    : 20348.1.amd64fre.fe_release.210507-1500
OsLanguage           : en-US
OsMuiLanguages       : {en-US}