Skip to content

Object types on New-MgIdentityConditionalAccessPolicy are incorrect #1236

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
jspern opened this issue Apr 29, 2022 · 4 comments
Closed

Object types on New-MgIdentityConditionalAccessPolicy are incorrect #1236

jspern opened this issue Apr 29, 2022 · 4 comments
Labels
not actionable

Comments

@jspern
Copy link

jspern commented Apr 29, 2022

The object types listed for New-MgIdentityConditionalAccessPolicy all begin with a letter "I" which is incorrect. Trying to generate new objects using these types results in errors. The leading "I" needs to be removed.
@ghost ghost added the ToTriage label Apr 29, 2022
@peombwa
Copy link
Member

peombwa commented May 3, 2022
edited
Loading

The object types are interfaces hence the I prefix. How are you creating new objects, and which errors are you getting? Interfaces are valid types in PowerShell/.NET and serve a purpose in the commands.

The interfaces (optional) can be used to create a new non-custom object as shown below without any issue:

$params = [Microsoft.Graph.PowerShell.Models.IMicrosoftGraphConditionalAccessPolicy]@{
	DisplayName = "Access to EXO requires MFA"
	State = "enabled"
	# Add more properties.
}

New-MgIdentityConditionalAccessPolicy -BodyParameter $params

See the examples at https://docs.microsoft.com/en-us/graph/api/conditionalaccessroot-post-policies?view=graph-rest-1.0&tabs=powershell#example-1-require-mfa-to-access-exchange-online-outside-of-trusted-locations for more details.

@jspern
Copy link
Author

jspern commented May 3, 2022
edited
Loading

After further testing it appears the issue is in PowerShell 7. Building the object the way you demonstrated and then running the command to create the policy works fine in Windows PowerShell, but in PowerShell 7 you will get errors similar to this:

New-MgIdentityConditionalAccessPolicy_Create1: 1010: At least one include rule in 'users' condition is required. Try 'includeUsers' = ['none'] to start with. For examples, please see API documentation at https://docs.microsoft.com/en-us/graph/api/conditionalaccessroot-post-policies?view=graph-rest-1.0.

@peombwa
Copy link
Member

peombwa commented May 10, 2022
edited
Loading

I'm able to repro the same on my end. Yes, this is an issue with PowerShell 7 when pasting the snippet; it works fine when running it as a script. You can also create the object without the interface, i.e.,

$params = @{
	DisplayName = "Access to EXO requires MFA"
	State = "enabled"
	Conditions = @{
		ClientAppTypes = @(
			"mobileAppsAndDesktopClients"
			"browser"
		)
		Applications = @{
			IncludeApplications = @(
				"00000002-0000-0ff1-ce00-000000000000"
			)
		}
		Users = @{
			IncludeGroups = @(
				"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"
			)
		}
		Locations = @{
			IncludeLocations = @(
				"All"
			)
			ExcludeLocations = @(
				"AllTrusted"
			)
		}
	}
	GrantControls = @{
		Operator = "OR"
		BuiltInControls = @(
			"mfa"
		)
	}
}

New-MgIdentityConditionalAccessPolicy -BodyParameter $params

@peombwa
Copy link
Member

peombwa commented May 10, 2022

I've opened an issue against the PSReadLine module for them to fix the pasting issue. A fix will be provided by PowerShell/PSReadLine#3306.

@peombwa peombwa closed this as completed May 10, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
not actionable
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@peombwa @jspern