microsoft · garretth9 · Sep 15, 2022 · Sep 16, 2022
@@ -116,6 +116,10 @@ function Get-TargetResource
         [System.String[]]
         $BuiltInControls,
 
+        [Parameter()]
+        [System.String[]]
+        $CustomControls,
+
         #ConditionalAccessSessionControls
         [Parameter()]
         [System.Boolean]
@@ -683,6 +687,8 @@ function Get-TargetResource
             GrantControlOperator                     = $Policy.GrantControls.Operator
             #no translation or conversion needed
             BuiltInControls                          = [System.String[]](@() + $Policy.GrantControls.BuiltInControls)
+            #no translation or conversion needed
+            CustomControls                          = [System.String[]](@() + $Policy.GrantControls.CustomAuthenticationFactors)
             #no translation needed, return empty string array if undefined
             ApplicationEnforcedRestrictionsIsEnabled = $false -or $Policy.SessionControls.ApplicationEnforcedRestrictions.IsEnabled
             #make false if undefined, true if true
@@ -831,6 +837,10 @@ function Set-TargetResource
         [System.String[]]
         $BuiltInControls,
 
+        [Parameter()]
+        [System.String[]]
+        $CustomControls,
+
         #ConditionalAccessSessionControls
         [Parameter()]
         [System.Boolean]
@@ -1557,7 +1567,7 @@ function Set-TargetResource
         #create and provision Grant Control object
         Write-Verbose -Message "Set-Targetresource: create and provision Grant Control object"
 
-        if ($GrantControlOperator -and ($BuiltInControls -or $TermsOfUse))
+        if ($GrantControlOperator -and ($BuiltInControls -or $TermsOfUse -or $CustomControls))
         {
             $GrantControls = @{
                 Operator        = $GrantControlOperator
@@ -1568,9 +1578,14 @@ function Set-TargetResource
                 $GrantControls.Add("BuiltInControls", $BuiltInControls)
             }
 
+            if ($CustomControls)
+            {
+                $GrantControls.Add("CustomAuthenticationFactors", $CustomControls)
+            }
+
             if ($TermsOfUse)
             {
-                Write-Verbose -Message "Gettign Terms of Use {$TermsOfUse}"
+                Write-Verbose -Message "Getting Terms of Use {$TermsOfUse}"
                 $TermsOfUseObj = Get-MgAgreement | Where-Object -FilterScript {$_.DisplayName -eq $TermsOfUse}
                 $GrantControls.Add('TermsOfUse', $TermsOfUseObj.Id)
             }
@@ -1869,6 +1884,10 @@ function Test-TargetResource
         [System.String[]]
         $BuiltInControls,
 
+        [Parameter()]
+        [System.String[]]
+        $CustomControls,
+
         #ConditionalAccessSessionControls
         [Parameter()]
         [System.Boolean]

@@ -26,6 +26,7 @@ class MSFT_AADConditionalAccessPolicy : OMI_BaseResource
     [Write, Description("Client App types in scope of the Policy.")] String ClientAppTypes[];
     [Write, Description("Operator to be used for Grant Controls."), ValueMap{"AND","OR"}, Values{"AND","OR"}] String GrantControlOperator;
     [Write, Description("List of built-in Grant Controls to be applied by the Policy.")] String BuiltInControls[];
+    [Write, Description("List of Custom Grant Control IDs to be applied by the Policy.")] String CustomControls[];
     [Write, Description("Specifies, whether Application Enforced Restrictions are enabled in the Policy.")] Boolean ApplicationEnforcedRestrictionsIsEnabled;
     [Write, Description("Specifies, whether Cloud App Security is enforced by the Policy.")] Boolean CloudAppSecurityIsEnabled;
     [Write, Description("Specifies, what Cloud App Security control is enforced by the Policy.")] String CloudAppSecurityType;

@@ -3,3 +3,7 @@
 ## Description
 
 This resource configures an Azure Active Directory Conditional Access Policy.
+
+## Notes
+The CustomControls attribute contains the IDs of the custom controls, not the names.
+The "Id" attribute is part of the custom control json definition.
@@ -275,6 +275,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture {
                 $testParams = @{
                     ApplicationEnforcedRestrictionsIsEnabled = $True
                     BuiltInControls                          = @("Mfa", "CompliantDevice", "DomainJoinedDevice", "ApprovedApplication", "CompliantApplication")
+                    CustomControls                           = @("Custom_Control_MFA_21341251")
                     ClientAppTypes                           = @("Browser", "MobileAppsAndDesktopClients")
                     CloudAppSecurityIsEnabled                = $True
                     CloudAppSecurityType                     = "MonitorOnly"
@@ -352,6 +353,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture {
                         GrantControls   = @{
                             Operator        = "AND"
                             BuiltInControls = @("Mfa", "CompliantDevice", "DomainJoinedDevice", "ApprovedApplication", "CompliantApplication")
+                            CustomControls  = @("Custom_Control_MFA_21341251")
                         }
                         SessionControls = @{
                             ApplicationEnforcedRestrictions = @{
@@ -592,6 +594,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture {
                         GrantControls   = @{
                             _Operator       = "AND"
                             BuiltInControls = @("Mfa", "CompliantDevice", "DomainJoinedDevice", "ApprovedApplication", "CompliantApplication")
+                            CustomControls  = @("Custom_Control_MFA_21341251")
                         }
                         SessionControls = @{
                             ApplicationEnforcedRestrictions = @{

@@ -29,6 +29,7 @@
 | **ClientAppTypes** | Write | StringArray[] | Client App types in scope of the Policy. ||
 | **GrantControlOperator** | Write | String | Operator to be used for Grant Controls. |AND, OR|
 | **BuiltInControls** | Write | StringArray[] | List of built-in Grant Controls to be applied by the Policy. ||
+| **CustomControls** | Write | StringArray[] | List of Custom Grant Control IDs to be applied by the Policy. ||
 | **ApplicationEnforcedRestrictionsIsEnabled** | Write | Boolean | Specifies, whether Application Enforced Restrictions are enabled in the Policy. ||
 | **CloudAppSecurityIsEnabled** | Write | Boolean | Specifies, whether Cloud App Security is enforced by the Policy. ||
 | **CloudAppSecurityType** | Write | String | Specifies, what Cloud App Security control is enforced by the Policy. ||
@@ -107,4 +108,3 @@ Configuration Example
     }
 }
 ```
-