Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Conditional Access Policies: sessionControls.signInFrequency.frequencyInterval: "everyTime" is not supported in v1.0 API #647

Open
manicminer opened this issue Jun 25, 2024 · 0 comments
Open

Conditional Access Policies: sessionControls.signInFrequency.frequencyInterval: "everyTime" is not supported in v1.0 API #647

manicminer opened this issue Jun 25, 2024 · 0 comments
Labels
ToTriage

Comments

@manicminer
Copy link

manicminer commented Jun 25, 2024
edited
Loading

According to documentation, it should be possible to specify frequencyInterval: "everyTime" in the signInFrequencySessionControl model in the v1.0 API, however it seems this always returns a 400 response instructing to use the Beta endpoint.

Here is the request I am sending to create a conditional access policy:

POST /v1.0/identity/conditionalAccess/policies HTTP/1.1
Host: graph.microsoft.com
User-Agent: HashiCorp Terraform/1.7.5 (+https://www.terraform.io) Terraform Plugin SDK/2.10.1 terraform-provider-azuread/dev Hamilton (Go-http-client/1.1) pid-222c6c49-1b0a-5959-a213-6608f9eb8820
Content-Length: 895
Accept: application/json; charset=utf-8; IEEE754Compatible=false
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJub...
Content-Type: application/json; charset=utf-8
Odata-Maxversion: 4.0
Odata-Version: 4.0
Accept-Encoding: gzip

{
  "conditions": {
    "applications": {
      "includeApplications": [
        "All"
      ],
      "excludeApplications": [],
      "includeUserActions": []
    },
    "clientAppTypes": [
      "browser"
    ],
    "devices": null,
    "locations": {
      "includeLocations": [
        "All"
      ],
      "excludeLocations": []
    },
    "platforms": {
      "includePlatforms": [
        "all"
      ],
      "excludePlatforms": []
    },
    "servicePrincipalRiskLevels": [],
    "signInRiskLevels": [],
    "userRiskLevels": [],
    "users": {
      "includeUsers": [
        "All"
      ],
      "excludeUsers": [
        "GuestsOrExternalUsers"
      ],
      "includeGroups": [],
      "excludeGroups": [],
      "includeRoles": [],
      "excludeRoles": [],
      "includeGuestsOrExternalUsers": null,
      "excludeGuestsOrExternalUsers": null
    }
  },
  "displayName": "acctest-CONPOLICY-240625230036522960",
  "grantControls": null,
  "sessionControls": {
    "applicationEnforcedRestrictions": {
      "isEnabled": false
    },
    "cloudAppSecurity": null,
    "disableResilienceDefaults": false,
    "persistentBrowser": null,
    "signInFrequency": {
      "frequencyInterval": "everyTime",
      "isEnabled": true
    }
  },
  "state": "disabled"
}

And the response:

HTTP/1.1 400 Bad Request
Cache-Control: no-cache
Transfer-Encoding: chunked
Content-Type: application/json
Content-Encoding: gzip
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000
request-id: 320c19a9-5002-4a0e-9369-34ff925d0f94
client-request-id: 320c19a9-5002-4a0e-9369-34ff925d0f94
x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"UK South","Slice":"E","Ring":"5","ScaleUnit":"000","RoleInstance":"LN2PEPF000114CC"}}
Date: Tue, 25 Jun 2024 22:01:02 GMT

{
  "error": {
    "code": "BadRequest",
    "message": "1038: The policy you are trying to create or update contains preview features. Use the Beta endpoint to create or update this policy.",
    "innerError": {
      "date": "2024-06-25T22:01:03",
      "request-id": "320c19a9-5002-4a0e-9369-34ff925d0f94",
      "client-request-id": "320c19a9-5002-4a0e-9369-34ff925d0f94"
    }
  }
}

If I send this same request to the beta endpoint, it is accepted:

POST /beta/identity/conditionalAccess/policies HTTP/1.1
Host: graph.microsoft.com
User-Agent: HashiCorp Terraform/1.7.5 (+https://www.terraform.io) Terraform Plugin SDK/2.10.1 terraform-provider-azuread/dev Hamilton (Go-http-client/1.1) pid-222c6c49-1b0a-5959-a213-6608f9eb8820
Accept: application/json; charset=utf-8; IEEE754Compatible=false
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJub...
Content-Type: application/json; charset=utf-8
Odata-Maxversion: 4.0
Odata-Version: 4.0
Accept-Encoding: gzip
Connection: close
Content-Length: 895

{
  "conditions": {
    "applications": {
      "includeApplications": [
        "All"
      ],
      "excludeApplications": [],
      "includeUserActions": []
    },
    "clientAppTypes": [
      "browser"
    ],
    "devices": null,
    "locations": {
      "includeLocations": [
        "All"
      ],
      "excludeLocations": []
    },
    "platforms": {
      "includePlatforms": [
        "all"
      ],
      "excludePlatforms": []
    },
    "servicePrincipalRiskLevels": [],
    "signInRiskLevels": [],
    "userRiskLevels": [],
    "users": {
      "includeUsers": [
        "All"
      ],
      "excludeUsers": [
        "GuestsOrExternalUsers"
      ],
      "includeGroups": [],
      "excludeGroups": [],
      "includeRoles": [],
      "excludeRoles": [],
      "includeGuestsOrExternalUsers": null,
      "excludeGuestsOrExternalUsers": null
    }
  },
  "displayName": "acctest-CONPOLICY-240625230036522960",
  "grantControls": null,
  "sessionControls": {
    "applicationEnforcedRestrictions": {
      "isEnabled": false
    },
    "cloudAppSecurity": null,
    "disableResilienceDefaults": false,
    "persistentBrowser": null,
    "signInFrequency": {
      "frequencyInterval": "everyTime",
      "isEnabled": true
    }
  },
  "state": "disabled"
}

This returns the expected 201 response:

HTTP/1.1 201 Created
Cache-Control: no-cache
Transfer-Encoding: chunked
Content-Type: application/json;odata.metadata=minimal;odata.streaming=true;IEEE754Compatible=false;charset=utf-8
Content-Encoding: gzip
Location: https://na.prod.graph.ipc.msidentity.com/conditionalAccess/policies('22e89125-b41c-4d8a-9811-598cd3c70366')
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000
request-id: edcc0a03-c654-4bb5-8ae0-5568f6c6ed72
client-request-id: edcc0a03-c654-4bb5-8ae0-5568f6c6ed72
x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"UK South","Slice":"E","Ring":"5","ScaleUnit":"000","RoleInstance":"LN2PEPF000114C1"}}
Link: <https://developer.microsoft-tst.com/en-us/graph/changes?$filterby=beta,PrivatePreview:networkAccess&from=2022-02-01&to=2022-03-01>;rel="deprecation";type="text/html"
Link: <https://developer.microsoft-tst.com/en-us/graph/changes?$filterby=beta,PrivatePreview:networkAccess&from=2022-02-01&to=2022-03-01>;rel="deprecation";type="text/html"
Link: <https://developer.microsoft-tst.com/en-us/graph/changes?$filterby=beta,PrivatePreview:networkAccess&from=2022-02-01&to=2022-03-01>;rel="deprecation";type="text/html"
Link: <https://developer.microsoft-tst.com/en-us/graph/changes?$filterby=beta,PrivatePreview:networkAccess&from=2022-02-01&to=2022-03-01>;rel="deprecation";type="text/html"
Link: <https://developer.microsoft-tst.com/en-us/graph/changes?$filterby=beta,PrivatePreview:networkAccess&from=2022-02-01&to=2022-03-01>;rel="deprecation";type="text/html"
Link: <https://developer.microsoft-tst.com/en-us/graph/changes?$filterby=beta,PrivatePreview:networkAccess&from=2022-02-01&to=2022-03-01>;rel="deprecation";type="text/html"
Link: <https://developer.microsoft-tst.com/en-us/graph/changes?$filterby=beta,PrivatePreview:networkAccess&from=2022-02-01&to=2022-03-01>;rel="deprecation";type="text/html"
Link: <https://developer.microsoft-tst.com/en-us/graph/changes?$filterby=beta,PrivatePreview:networkAccess&from=2022-02-01&to=2022-03-01>;rel="deprecation";type="text/html"
Link: <https://developer.microsoft-tst.com/en-us/graph/changes?$filterby=beta,PrivatePreview:networkAccess&from=2022-02-01&to=2022-03-01>;rel="deprecation";type="text/html"
Link: <https://developer.microsoft-tst.com/en-us/graph/changes?$filterby=beta,PrivatePreview:networkAccess&from=2022-02-01&to=2022-03-01>;rel="deprecation";type="text/html"
Link: <https://developer.microsoft-tst.com/en-us/graph/changes?$filterby=beta,PrivatePreview:secureAppSessionMode&from=2023-07-01&to=2023-08-01>;rel="deprecation";type="text/html"
Link: <https://developer.microsoft-tst.com/en-us/graph/changes?$filterby=beta,PrivatePreview:secureAppSessionMode&from=2023-07-01&to=2023-08-01>;rel="deprecation";type="text/html"
Deprecation: Thu, 17 Feb 2022 23:59:59 GMT
Sunset: Sat, 17 Feb 2024 23:59:59 GMT
OData-Version: 4.0
Date: Tue, 25 Jun 2024 22:01:19 GMT
Connection: close

{
  "@odata.context": "https://graph.microsoft.com/beta/$metadata#identity/conditionalAccess/policies/$entity",
  "id": "22e89125-b41c-4d8a-9811-598cd3c70366",
  "templateId": null,
  "displayName": "acctest-CONPOLICY-240625230036522960",
  "createdDateTime": "2024-06-25T22:01:18.2770637Z",
  "modifiedDateTime": null,
  "state": "disabled",
  "grantControls": null,
  "partialEnablementStrategy": null,
  "conditions": {
    "userRiskLevels": [],
    "signInRiskLevels": [],
    "clientAppTypes": [
      "browser"
    ],
    "times": null,
    "deviceStates": null,
    "devices": null,
    "clientApplications": null,
    "applications": {
      "includeApplications": [
        "All"
      ],
      "excludeApplications": [],
      "includeUserActions": [],
      "includeAuthenticationContextClassReferences": [],
      "applicationFilter": null
    },
    "users": {
      "includeUsers": [
        "All"
      ],
      "excludeUsers": [
        "GuestsOrExternalUsers"
      ],
      "includeGroups": [],
      "excludeGroups": [],
      "includeRoles": [],
      "excludeRoles": [],
      "includeGuestsOrExternalUsers": null,
      "excludeGuestsOrExternalUsers": null
    },
    "platforms": {
      "includePlatforms": [
        "all"
      ],
      "excludePlatforms": []
    },
    "locations": {
      "includeLocations": [
        "All"
      ],
      "excludeLocations": []
    }
  },
  "sessionControls": {
    "disableResilienceDefaults": null,
    "applicationEnforcedRestrictions": null,
    "cloudAppSecurity": null,
    "persistentBrowser": null,
    "continuousAccessEvaluation": null,
    "secureSignInSession": null,
    "signInFrequency": {
      "value": null,
      "type": null,
      "authenticationType": "primaryAndSecondaryAuthentication",
      "frequencyInterval": "everyTime",
      "isEnabled": true
    }
  }
}

I picked this up after noticing that the Portal is using the Beta endpoint here, presumably due to this issue?

The problem with using the Beta endpoint, is that it locks a policy into using "beta features" and you can no longer use the v1.0 API to work with it.

Downstream issue: hashicorp/terraform-provider-azuread#1417
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
ToTriage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@manicminer