AADConditionalAccessPolicy: Get error "Failed creating new policy" or "Failed changing policy" since Update to V1.24.1106.1

[gbs916]

Description of the issue

I had to downgrade to version 1.24.1016.1 because I have a problem deploying the AADConditionalAccessPolicy resource with the version 1.24.1106.1.
I joined the Verbose logs for working (1.24.1016.1) and not working (1.24.1106.1) case.

Working.txt
NotWorking.txt

If there is no change on the Policy, the DSC task is success. If there is a change or if it's a new Policy, there is an error.

For info my app registration has all the permissions mentioned in the doc: Agreement.Read.All, Application.Read.All, Group.Read.All, Policy.Read.All, Policy.ReadWrite.ConditionalAccess, RoleManagement.Read.Directory, User.Read.All, CustomSecAttributeDefinition.Read.All

Microsoft 365 DSC Version

1.24.1106.1

Which workloads are affected

Azure Active Directory (Entra ID)

The DSC configuration

AADConditionalAccessPolicy "AADConditionalAccessPolicy-CAP001-Global-AllApps-NoCondition-MFAorCompliant"
{
ApplicationId = "xxx";
ApplicationEnforcedRestrictionsIsEnabled = $False;
AuthenticationContexts = @();
AuthenticationStrength = "Multifactor authentication";
BuiltInControls = @("compliantDevice");
CertificateThumbprint = "xxxx";
ClientAppTypes = @("all");
CloudAppSecurityIsEnabled = $False;
CloudAppSecurityType = "";
CustomAuthenticationFactors = @();
DeviceFilterRule = "";
DisplayName = "Test-CAP001-Global-AllApps-NoCondition-MFAorCompliant";
Ensure = "Present";
ExcludeApplications = @("5c91ae52-d26e-444-aa28-31fd7e705483","55d611b0-7d33-8888-8df3-6041868930d7","00000009-0000-0000-c000-000000000000");
ExcludeExternalTenantsMembers = @();
ExcludeExternalTenantsMembershipKind = "all";
ExcludeGroups = @("GPAZ-AzureAD-MFA-Bypass");
ExcludeGuestOrExternalUserTypes = @("internalGuest","b2bCollaborationGuest","b2bCollaborationMember","b2bDirectConnectUser","otherExternalUser","serviceProvider");
ExcludeLocations = @();
ExcludePlatforms = @();
ExcludeRoles = @();
ExcludeUsers = @();
GrantControlOperator = "OR";
IncludeApplications = @("All");
IncludeExternalTenantsMembers = @();
IncludeExternalTenantsMembershipKind = "";
IncludeGroups = @();
IncludeLocations = @();
IncludePlatforms = @();
IncludeRoles = @();
IncludeUserActions = @();
IncludeUsers = @("All");
PersistentBrowserIsEnabled = $False;
PersistentBrowserMode = "";
SignInFrequencyIsEnabled = $False;
SignInFrequencyType = "";
SignInRiskLevels = @();
State = "enabled";
TenantId = "toto.onmicrosoft.com";
UserRiskLevels = @();
}

Verbose logs showing the problem

2024-11-08T07:28:21.4890627Z insiderRiskLevels=
2024-11-08T07:28:21.4894714Z
2024-11-08T07:28:21.4904645Z platforms=$null
2024-11-08T07:28:21.4905153Z
2024-11-08T07:28:21.5710111Z signInRiskLevels=()
2024-11-08T07:28:21.6750447Z ##[error]Set-Targetresource: Failed changing policy CAP001-Global-AllApps-NoCondition-MFAorCompliant
2024-11-08T07:28:21.6769980Z
2024-11-08T07:28:21.6779275Z userRiskLevels=()
2024-11-08T07:28:21.6819392Z
2024-11-08T07:28:21.7070014Z ##[error]+ CategoryInfo : NotSpecified: (:) [], CimException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Set-TargetResource
+ PSComputerName : localhost
2024-11-08T07:28:21.7091874Z users={excludeGroups=(4d724a52-9dd2-4a2e-aa66-da1c54ee56ae)
2024-11-08T07:28:21.7092676Z
2024-11-08T07:28:21.7146390Z excludeGuestsOrExternalUsers={externalTenants={@odata.type=#microsoft.graph.conditionalAccessAllExternalTenants
2024-11-08T07:28:21.7147233Z
2024-11-08T07:28:21.7149757Z ##[error]The PowerShell DSC resource
'[AADConditionalAccessPolicy]CAP001-Global-AllApps-NoCondition-MFAorCompliant::[EntraID]EntraID_Configuration' with
SourceInfo 'D:\a\1\s\M365Config\0.0.1\DSCResources\EntraID\EntraID.schema.psm1::46::21::AADConditionalAccessPolicy'
threw one or more non-terminating errors while running the Set-TargetResource functionality. These errors are logged
to the ETW channel called Microsoft-Windows-DSC/Operational. Refer to this channel for more details.
2024-11-08T07:28:21.7156179Z membershipKind=all}
2024-11-08T07:28:21.7163050Z
2024-11-08T07:28:21.7173692Z guestOrExternalUserTypes=internalGuest,b2bCollaborationGuest,b2bCollaborationMember,b2bDirectConnectUser,otherExternalU
2024-11-08T07:28:21.7206974Z ser,serviceProvider}
2024-11-08T07:28:21.7552570Z ##[error]+ CategoryInfo : InvalidOperation: (:) [], CimException
+ FullyQualifiedErrorId : NonTerminatingErrorFromProvider
+ PSComputerName : localhost
2024-11-08T07:28:21.7563120Z

Environment Information + PowerShell Version

No response

[FabienTschanz]

@gbs916 Can you please try again with the latest version 1.24.1106.2, which will be available in the PowerShell gallery shortly? There was an emergency fix in #5357 which addressed an issue with the urls being called.

[gbs916]

@FabienTschanz thanks for the info. I will test when version 1.24.1106.2 is available on PS gallery.

[gbs916]

@FabienTschanz , unfortunately I still have the same error after updating to version 1.24.1106.3.
I updated, export the configuration again with the new module version, changed one small thing in a conditional access policy and try to deploy again with "Start-DSCConfiguration".

VERBOSE: [WINAA5CD4370Y79]:                                                                                                                           [[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CAP001-Global-AllApps-NoCondition-MFAorCompliant] PATCH                                       https://graph.microsoft.com/beta/identity/conditionalAccess/policies/717d8265-86d0-4bb8-9f32-bec7d6ffd089 with 1167-byte payload
VERBOSE: [WINAA5CD4370Y79]:
[[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CAP001-Global-AllApps-NoCondition-MFAorCompliant] received 547-byte response of content type
application/json
Set-Targetresource: Failed changing policy CAP001-Global-AllApps-NoCondition-MFAorCompliant
    + CategoryInfo          : NotSpecified: (:) [], CimException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Set-TargetResource
    + PSComputerName        : localhost

VERBOSE: [WINAA5CD4370Y79]:
[[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CAP001-Global-AllApps-NoCondition-MFAorCompliant] Set-Targetresource: Finished processing
Policy CAP001-Global-AllApps-NoCondition-MFAorCompliant
VERBOSE: [WINAA5CD4370Y79]: LCM:  [ End    Set      ]
[[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CAP001-Global-AllApps-NoCondition-MFAorCompliant]  in 3.0650 seconds.
The PowerShell DSC resource '[AADConditionalAccessPolicy]AADConditionalAccessPolicy-CAP001-Global-AllApps-NoCondition-MFAorCompliant' with
SourceInfo '::7::9::AADConditionalAccessPolicy' threw one or more non-terminating errors while running the Set-TargetResource functionality. These
errors are logged to the ETW channel called Microsoft-Windows-DSC/Operational. Refer to this channel for more details.
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : NonTerminatingErrorFromProvider
    + PSComputerName        : localhost

VERBOSE: [WINAA5CD4370Y79]: LCM:  [ End    Set      ]
The SendConfigurationApply function did not succeed.
    + CategoryInfo          : NotSpecified: (root/Microsoft/...gurationManager:String) [], CimException
    + FullyQualifiedErrorId : MI RESULT 1
    + PSComputerName        : localhost

VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 49.327 seconds