Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AADConditionalAccessPolicy: BuiltInControls with value "passwordChange" failed with BadRequest error #4629

Closed
gbs916 opened this issue May 3, 2024 · 1 comment
Closed

AADConditionalAccessPolicy: BuiltInControls with value "passwordChange" failed with BadRequest error #4629

gbs916 opened this issue May 3, 2024 · 1 comment

Comments

@gbs916
Copy link

gbs916 commented May 3, 2024

Description of the issue

I want to create a policy which requests a password change when the userRisk is high.
As soon I set the BuiltInControls to passwordChange, the deployement failed. If I put "mfa" instead of passwordChange it works and the policy is created.
BuiltInControls = @("passwordChange"); => failed
BuiltInControls = @("mfa"); => works
The value passwordChange is provided by ma configuration export ran with Export-M365DSCConfiguration -Components @("AADConditionalAccessPolicy")

Microsoft 365 DSC Version

1.24.424.1

Which workloads are affected

Azure Active Directory (Entra ID)

The DSC configuration

AADConditionalAccessPolicy "AADConditionalAccessPolicy-Require MFA and password change for high risk users"
        {
            AuthenticationContexts               = @();
            AuthenticationStrength               = "Multifactor authentication";
            BuiltInControls                      = @("passwordChange");
            ClientAppTypes                       = @("all");
            CloudAppSecurityType                 = "";
            Credential                           = $Credscredential;
            CustomAuthenticationFactors          = @();
            DeviceFilterRule                     = "";
            DisplayName                          = "Require MFA and password change for high risk users";
            Ensure                               = "Present";
            ExcludeApplications                  = @();
            ExcludeExternalTenantsMembers        = @();
            ExcludeExternalTenantsMembershipKind = "all";
            ExcludeGroups                        = @("GPAZ-AzureAD-MFA-Bypass");
            ExcludeGuestOrExternalUserTypes      = @("b2bCollaborationGuest");
            ExcludeLocations                     = @();
            ExcludePlatforms                     = @();
            ExcludeRoles                         = @();
            ExcludeUsers                         = @();
            GrantControlOperator                 = "AND";
            Id                                   = "";
            IncludeApplications                  = @("All");
            IncludeExternalTenantsMembers        = @();
            IncludeExternalTenantsMembershipKind = "";
            IncludeGroups                        = @();
            IncludeLocations                     = @();
            IncludePlatforms                     = @();
            IncludeRoles                         = @();
            IncludeUserActions                   = @();
            IncludeUsers                         = @("All");
            PersistentBrowserMode                = "";
            SignInFrequencyInterval              = "everyTime";
            SignInFrequencyIsEnabled             = $True;
            SignInFrequencyType                  = "";
            SignInRiskLevels                     = @();
            State                                = "enabled";
            UserRiskLevels                       = @("high");
        }

Verbose logs showing the problem

##[error][BadRequest] : The server could not process the request because it is malformed or incorrect.
    + CategoryInfo          : InvalidOperation: ({ ConditionalAc...lAccessPolicy }:) [], CimException
    + FullyQualifiedErrorId : BadRequest,Microsoft.Graph.Beta.PowerShell.Cmdlets.UpdateMgBetaIdentityConditionalAccess 
   Policy_UpdateExpanded
    + PSComputerName        : localhost
VERBOSE: [fv-az623-346]:                            
[[AADConditionalAccessPolicy]CAP002-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime::[EntraID]EntraID_Co
nfiguration] Set-Targetresource: Finished processing Policy 
CAP002-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime
VERBOSE: [fv-az623-346]: LCM:  [ End    Set      ]  
[[AADConditionalAccessPolicy]CAP002-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEveryTime::[EntraID]EntraID_Co
nfiguration]  in 1.4090 seconds.
##[error]The PowerShell DSC resource '[AADConditionalAccessPolicy]CAP002-Global-AllApps-UserRiskHigh-MFAAndPasswordChange-FreqEv
eryTime::[EntraID]EntraID_Configuration' with SourceInfo 
'D:\a\1\s\M365Config\0.0.1\DSCResources\EntraID\EntraID.schema.psm1::45::17::AADConditionalAccessPolicy' threw one or 
more non-terminating errors while running the Set-TargetResource functionality. These errors are logged to the ETW 
channel called Microsoft-Windows-DSC/Operational. Refer to this channel for more details.
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : NonTerminatingErrorFromProvider
    + PSComputerName        : localhost
VERBOSE: [fv-az623-346]: LCM:  [ Start  Resource ]  
[[AADConditionalAccessPolicy]CAP003-Global-AllApps-SignInRiskMediumAndHigh-MFA-FreqEveryTime::[EntraID]EntraID_Configur
ation]

Environment Information + PowerShell Version

No response
@gbs916
Copy link
Author

gbs916 commented May 17, 2024

Solved

@gbs916 gbs916 closed this as completed May 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@gbs916