sign_in_frequency 'Every time' parameter

[cbshapil]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

The Conditional Access Policy resource is missing the sign_in_frequency 'Every time' parameter in the session_controls block.

Affected Resource(s)

• azuread_conditional_access_policy

References

• N/A

[cbshapil]

conditions {
    client_app_types              = [
        "all",
    ]
    service_principal_risk_levels = []
    sign_in_risk_levels           = []
    user_risk_levels              = [
        "high",
        "medium",
    ]

    applications {
        excluded_applications = []
        included_applications = [
            "All",
        ]
    }

    users {
        excluded_groups = [
            "956c7c1d-eeb8-454b-aaca-938e97b2ff56"
        ]
        excluded_roles  = []
        excluded_users  = []
        included_groups = [
            "35ac2a9a-0d74-42e1-6t73-e0bdae507ae1",
        ]
        included_roles  = []
        included_users  = []
    }
}

grant_controls {
    built_in_controls             = [
        "mfa",
        "passwordChange",
    ]
    custom_authentication_factors = []
    operator                      = "AND"
    terms_of_use                  = []
}

session_controls {
    sign_in_frequency_authentication_type     = "primaryAndSecondaryAuthentication"
    sign_in_frequency_interval                = "everyTime"
}

The above policy creation fails with the following error (even though the applicationEnforcedRestrictions and disableResilienceDefaults parameters are not specified):

azuread_conditional_access_policy.CADev: Creating...
╷
│ Error: Could not create conditional access policy
│
│ with azuread_conditional_access_policy.CADev,
│ on CADev.tf line 10, in resource "azuread_conditional_access_policy" "CADev":
│ 10: resource "azuread_conditional_access_policy" "CADev" {
│
│ ConditionalAccessPoliciesClient.BaseClient.Post(): unexpected status 400 with OData error: BadRequest: 1115: The specified session controls,
│ 'applicationEnforcedRestrictions, disableResilienceDefaults', are not supported with the password change control; only signInFrequency every time
│ is supported. For examples, please see the API documentation at
│ https://docs.microsoft.com/en-us/graph/api/conditionalaccessroot-post-policies?view=graph-rest-1.0.

A similar policy created in Microsoft Graph including the "isEnabled" parameter works. Looks like support for this property is required too. I believe this property is the equivalent to ticking the "Sign-in frequency" tickbox in the portal experience.

"signInFrequency": {
"value": null,
"type": null,
"authenticationType": "primaryAndSecondaryAuthentication",
"frequencyInterval": "everyTime",
"isEnabled": true
}

[ngrande]

Ran into the same issue here.

resource "azuread_conditional_access_policy" "require_pw_change_for_risky_users" {
  display_name = "Require Password Change For Risky Users"
  state        = "enabledForReportingButNotEnforced"
  #state = "enabled"

  conditions {
    client_app_types              = ["all"]
    service_principal_risk_levels = []
    sign_in_risk_levels           = []
    user_risk_levels              = ["high"]

    applications {
      included_applications = ["All"]
    }

    users {
      excluded_groups = [azuread_group.group_XYZ.id]
      included_users  = ["All"]
    }
  }
  grant_controls {
    operator          = "AND"
    built_in_controls = ["mfa", "passwordChange"]
  }

  session_controls {
    sign_in_frequency_interval = "everyTime"
  }
}

Results in the error

│ Error: Could not update conditional access policy with ID: "a57a2b3b-91aa-4256-b186-99533616da36"
│ 
│   with azuread_conditional_access_policy.require_pw_change_for_risky_users,
│   on conditional_access.tf line 85, in resource "azuread_conditional_access_policy" "require_pw_change_for_risky_users":
│   85: resource "azuread_conditional_access_policy" "require_pw_change_for_risky_users" {
│ 
│ ConditionalAccessPoliciesClient.BaseClient.Patch(): unexpected status 400 with OData error: BadRequest: 1115: The specified session controls,
│ 'applicationEnforcedRestrictions, disableResilienceDefaults', are not supported with the password change control; only signInFrequency every time is supported. For examples,
│ please see the API documentation at https://docs.microsoft.com/en-us/graph/api/conditionalaccesspolicy-update?view=graph-rest-1.0.

[goldjg]

Hitting this same issue just now, has been driving me nuts. Sort of glad I can confirm it's not a problem between keyboard and chair :-)
But as I'm trying to move all of our CA to being as code through Terraform, this is a major blocker :(

Has anyone found a workaround?