Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

authentication methods always update even there is no change in reference id #5280

Open
MarzelLaning42 opened this issue Oct 28, 2024 · 0 comments
Open

authentication methods always update even there is no change in reference id #5280

MarzelLaning42 opened this issue Oct 28, 2024 · 0 comments

Comments

@MarzelLaning42
Copy link

Description of the issue

Audit log shows change to Conditional Access policy for Authentication Strength every time M365DSC applies configuration.

BEFORE

"grantControls": {
            "operator": "OR",
            "builtInControls": [],
            "customAuthenticationFactors": [],
            "termsOfUse": [],
            "authenticationStrength": {
                  "id": "4df70e26-73d3-46ba-914b-ed737c26d375"
            }
      }

AFTER

"grantControls": {
            "operator": "OR",
            "builtInControls": [],
            "customAuthenticationFactors": [],
            "termsOfUse": [],
            "authenticationStrength": {
                  "id": "4df70e26-73d3-46ba-914b-ed737c26d375",
                  "createdDateTime": "2024-04-09T08:38:56.2190622Z",
                  "modifiedDatetime": "2024-04-09T08:58:37.7173872Z",
                  "displayName": "AUTHMETHOD",
                  "description": "",
                  "policyType": 1,
                  "requirementsSatisfied": 1,
                  "allowedCombinations": [
                        "WindowsHelloForBusiness",
                        "Fido2",
                        "X509CertificateMultiFactor",
                        "DeviceBasedPush",
                        "TemporaryAccessPassOneTime",
                        "TemporaryAccessPassMultiUse",
                        "Password, MicrosoftAuthenticatorPush",
                        "Password, SoftwareOath",
                        "Password, HardwareOath"
                  ],
                  "combinationConfigurations": []
            }
      }

It appears as though M365DSC pushes all authentication methods in the Authentication Strength policy instead of just a reference id to the policy.

Can this be prevented, or is this the way the beta graph api works currently?

The issue I have with this, is the fact that the Authentication Strength reference ID did not change, but in the auditlog this is always seen as a change since the call references the complete Authentication Strengt policy settings, instead of just the ID.

Microsoft 365 DSC Version

V1.24.1016.1

Which workloads are affected

Azure Active Directory (Entra ID)

The DSC configuration

    AADConditionalAccessPolicy "AADConditionalAccessPolicy-CA0212-Internals-IdentityProtection-AllApps-AnyPlatform-MFAforHighSignInRisk"
    {
        TenantId                                 = $tenantID;
        ApplicationId                            = $ApplicationId;
        CertificateThumbprint                    = $CertificateThumbprint;
        DisplayName                              = "CA0212-Internals-IdentityProtection-AllApps-AnyPlatform-MFAforHighSignInRisk";
        Ensure                                   = "Present";
        BuiltInControls                          = @();
        AuthenticationStrength                   = "AUTHMETHOD";
        GrantControlOperator                     = "AND";
        ClientAppTypes                           = @("all");
        IncludeApplications                      = @("All");
        ExcludeApplications                      = @();
        IncludeUsers                             = @();
        ExcludeUsers                             = @();
        IncludeGroups                            = @("Internals");
        ExcludeGroups                            = @("BreakGlassAccounts");
        SignInRiskLevels                         = @("high");
        ApplicationEnforcedRestrictionsIsEnabled = $False;
        AuthenticationContexts                   = @();
        CloudAppSecurityIsEnabled                = $False;
        CloudAppSecurityType                     = "";
        CustomAuthenticationFactors              = @();
        DeviceFilterRule                         = "";
        ExcludeExternalTenantsMembers            = @();
        ExcludeExternalTenantsMembershipKind     = "";
        ExcludeLocations                         = @();
        ExcludePlatforms                         = @();
        ExcludeRoles                             = @();
        IncludeExternalTenantsMembers            = @();
        IncludeExternalTenantsMembershipKind     = "";
        IncludeLocations                         = @();
        IncludePlatforms                         = @();
        IncludeRoles                             = @();
        IncludeUserActions                       = @();
        PersistentBrowserIsEnabled               = $False;
        PersistentBrowserMode                    = "";
        SignInFrequencyIsEnabled                 = $False;
        SignInFrequencyType                      = "";
        State                                    = "enabled";
    }

Verbose logs showing the problem

2024-10-28T08:30:24.7489767Z Set-Targetresource: Change policy
2024-10-28T08:30:24.7490409Z CA0212-Internals-IdentityProtection-AllApps-AnyPlatform-MFAforHighSignInRisk
2024-10-28T08:30:24.7541585Z VERBOSE: [fv-az623-348]:
2024-10-28T08:30:24.7543059Z [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA0212-Internals-IdentityProtection-AllApps-AnyPlatform-MFAforH
2024-10-28T08:30:24.7544147Z ighSignInRisk] Updating existing policy with values: ConditionalAccessPolicyId=7a5c1967-cc34-483f-a0c7-8cff8cd18900
2024-10-28T08:30:24.7544492Z
2024-10-28T08:30:24.7544843Z conditions={applications={excludeApplications=()
2024-10-28T08:30:24.7545087Z
2024-10-28T08:30:24.7545396Z includeApplications=(All)}
2024-10-28T08:30:24.7545610Z
2024-10-28T08:30:24.7545909Z clientAppTypes=(all)
2024-10-28T08:30:24.7546128Z
2024-10-28T08:30:24.7546420Z platforms=$null
2024-10-28T08:30:24.7546622Z
2024-10-28T08:30:24.7546918Z signInRiskLevels=(high)
2024-10-28T08:30:24.7547128Z
2024-10-28T08:30:24.7547690Z users={excludeGroups=(3e501c2f-f7b5-4eab-93f3-ab426e43ebee)
2024-10-28T08:30:24.7547944Z
2024-10-28T08:30:24.7548235Z excludeRoles=()
2024-10-28T08:30:24.7548423Z
2024-10-28T08:30:24.7548728Z excludeUsers=()
2024-10-28T08:30:24.7548914Z
2024-10-28T08:30:24.7549360Z includeGroups=(27f9c9ba-397e-4ce3-8340-86539484489a)
2024-10-28T08:30:24.7549598Z
2024-10-28T08:30:24.7549905Z includeRoles=()
2024-10-28T08:30:24.7550094Z
2024-10-28T08:30:24.7550398Z includeUsers=()}}
2024-10-28T08:30:24.7550587Z
2024-10-28T08:30:24.7551092Z displayName=CA0212-Internals-IdentityProtection-AllApps-AnyPlatform-MFAforHighSignInRisk
2024-10-28T08:30:24.7551365Z
2024-10-28T08:30:24.7551786Z grantControls={authenticationStrength={@odata.type=#microsoft.graph.authenticationStrengthPolicy
2024-10-28T08:30:24.7552062Z
2024-10-28T08:30:24.7552478Z id=4df70e26-73d3-46ba-914b-ed737c26d375}
2024-10-28T08:30:24.7552696Z
2024-10-28T08:30:24.7553012Z operator=AND}
2024-10-28T08:30:24.7553208Z
2024-10-28T08:30:24.7553517Z sessionControls=$null
2024-10-28T08:30:24.7553710Z
2024-10-28T08:30:24.7554004Z state=enabled
2024-10-28T08:30:24.8239872Z VERBOSE: [fv-az623-348]:
2024-10-28T08:30:24.8240887Z [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA0212-Internals-IdentityProtection-AllApps-AnyPlatform-MFAforH
2024-10-28T08:30:24.8241505Z ighSignInRisk] PATCH
2024-10-28T08:30:24.8242253Z https://graph.microsoft.com/beta/identity/conditionalAccess/policies/7a5c1967-cc34-483f-a0c7-8cff8cd18900 with 723-byte
2024-10-28T08:30:24.8242686Z payload
2024-10-28T08:30:25.5170739Z VERBOSE: [fv-az623-348]:
2024-10-28T08:30:25.5172153Z [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA0212-Internals-IdentityProtection-AllApps-AnyPlatform-MFAforH
2024-10-28T08:30:25.5173222Z ighSignInRisk] received 0-byte response of content type
2024-10-28T08:30:25.5261459Z VERBOSE: [fv-az623-348]:
2024-10-28T08:30:25.5262109Z [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA0212-Internals-IdentityProtection-AllApps-AnyPlatform-MFAforH
2024-10-28T08:30:25.5266342Z ighSignInRisk] Set-Targetresource: Finished processing Policy
2024-10-28T08:30:25.5269383Z CA0212-Internals-IdentityProtection-AllApps-AnyPlatform-MFAforHighSignInRisk
2024-10-28T08:30:25.5280695Z VERBOSE: [fv-az623-348]: LCM: [ End Set ]
2024-10-28T08:30:25.5284181Z [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA0212-Internals-IdentityProtection-AllApps-AnyPlatform-MFAforH
2024-10-28T08:30:25.5288405Z ighSignInRisk] in 2.5980 seconds.
2024-10-28T08:30:25.5288954Z VERBOSE: [fv-az623-348]: LCM: [ End Resource ]
2024-10-28T08:30:25.5289544Z [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CA0212-Internals-IdentityProtection-AllApps-AnyPlatform-MFAforH
2024-10-28T08:30:25.5289965Z ighSignInRisk]

Environment Information + PowerShell Version

windows-latest azure pipeline agent
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@MarzelLaning42