-
Notifications
You must be signed in to change notification settings - Fork 301
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unexpected behaviour with session_controls #1235
Comments
@dankitch Thanks for reporting this. We added support for session controls in v2.45 under the assumption that these were defaulted in all CAPs - which we observed during testing. Would you be able to post a copy of your policy as returned by the API, e.g. https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies/3aa40000-ac1d-0000-9534-aa9e00000000 If the policy has already been updated by v2.45, if you could possibly post a copy of a policy that hasn't yet been updated by this version that'd be really appreciated. Preferably an older policy, and maybe even created outside of Terraform initially if you have any that fit these criteria. |
@manicminer Thanks the response. Here is a copy of the policy which has been provisioned using azuread v2.44.1: v2.44.1
Here is a copy of the policy provisioned using azuread v2.45.0: v2.45.0
Other than the displayName, createdDateTime, modifiedDateTime, and of course the policy id, both policies match. However, when reviewing the state file, you can see the addition session controls in v.2.45.0. Below is a comparison: v.2.44.1 state
v2.45.0 state
Unfortunately, I don't have any policies created outside of terraform anymore. Is it worth creating one using the GUI to compare against, or will that not make much difference? Thanks! |
I am getting the same issue, if do a terraform apply these settings appear to be applied, but then they re-appear in the plan (not idempotent). |
I get the same issue for a policy where the only setting of in |
bug is caused by the default values on the optional parameter terraform-provider-azuread/internal/services/conditionalaccess/conditional_access_policy_resource.go Line 585 in 7b69d83
this line also is related and sets signin frequency it to 0 which may trigger it to use defaults terraform-provider-azuread/internal/services/conditionalaccess/conditionalaccess.go Line 158 in 7b69d83
here is the block for session controls sign in frequency isEnabled can be false |
Community Note
Terraform (and AzureAD Provider) Version
Terraform: 1.6.2
AzureAD: 2.45.0
Affected Resource(s)
azuread_conditional_access_policy
Problem
In one of my CA policies, I am setting the
application_enforced_restrictions_enabled
totrue
. This is the only session control defined in this particular policy.Today, I noticed that when performing a plan, the following
session_controls
are now "added":Terraform plan output
Expected Behavior
Expected behaviour is no change to the policy. I haven't defined these additional session controls in my terraform configuration.
Policy configuration
Actual Behavior
After performing an apply, the state file contains these new session_controls, but when looking at the the policy in the azure portal, it looks as I would expected. There's no visible change to the policy, but it is unclear at this stage what effect these additional session controls could be having on the policy.
The text was updated successfully, but these errors were encountered: