-
Notifications
You must be signed in to change notification settings - Fork 35
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conditional Access Policies: sessionControls.signInFrequency.frequencyInterval: "everyTime"
is not supported in v1.0 API
#647
Comments
Spoke to one of the product group I'm talking to for something else that is CA and Graph related and they've nudged the engineering team re this issue (I was hitting this issue myself this week). Hopefully that gets it some momentum. |
Hi @manicminer & @goldjg ,our eng team verified that Sign-in Frequency every time is a partially GA feature - we currently support 3 scenarios in GA, listed in Conditional Access adaptive session lifetime policies - Microsoft Entra ID | Microsoft Learn This is why the session control is still in the Beta API. There's active ongoing work to bring this to full GA, at which time the control will be available in Graph v1.0. |
Hi Lisa,
The issue I had is that if I want to enforce a passwordChange and MFA grant control (for users whose UserRisk is High) then I’m being forced to select everyTime signinFrequency (in Terraform and also via the portal).
And that is where Terraform is being told by the v1.0 API endpoint to use the beta endpoint instead.
So if passwordChange+everyTime is a GA feature per the referenced documentation then it should work via the v1.0 endpoint.
I also wanted to set persistentBrowser to “never” but it won’t allow that in combination with the other settings. I also wanted to set signinFrequency to 1 hour alongside passwordChange but the response from TF/API is that you have to use everyTime if you use passwordChange.
So there seems to be some either coding errors or documentation errors re what is an allowed combination of settings.
…On 4 Sep 2024 at 19:33 +0100, Lisa Huang-North ***@***.***>, wrote:
Hi @manicminer & @goldjg ,our eng team verified that Sign-in Frequency every time is a partially GA feature - we currently support 3 scenarios in GA, listed in Conditional Access adaptive session lifetime policies - Microsoft Entra ID | Microsoft Learn
This is why the session control is still in the Beta API. There's active ongoing work to bring this to full GA, at which time the control will be available in Graph v1.0.
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
See hashicorp/terraform-provider-azuread#1225 (comment) Still can't get this to work... (azuread provider v 3.0.2) Consider the following TF: resource "azuread_conditional_access_policy" "Require_password_change_For_licensed_users_When_high_user_risk_is_detected" {
display_name = "Require_password_change_For_licensed_users_When_high_user_risk_is_detected"
state = "enabledForReportingButNotEnforced"
conditions {
client_app_types = [
"all",
]
sign_in_risk_levels = []
user_risk_levels = [
"high",
]
service_principal_risk_levels = []
applications {
excluded_applications = []
included_applications = [
"All",
]
}
users {
excluded_groups = []
excluded_roles = []
excluded_users = []
included_groups = []
included_roles = []
included_users = [
"None"
]
}
}
grant_controls {
built_in_controls = [
"mfa",
"passwordChange"
]
custom_authentication_factors = []
operator = "AND"
terms_of_use = []
}
session_controls {
cloud_app_security_policy = null
disable_resilience_defaults = null
persistent_browser_mode = null
sign_in_frequency_authentication_type = "primaryAndSecondaryAuthentication"
sign_in_frequency_interval = "everyTime"
sign_in_frequency_period = "hours"
sign_in_frequency = 1
}
} This still returns:
|
According to documentation, it should be possible to specify
frequencyInterval: "everyTime"
in thesignInFrequencySessionControl
model in the v1.0 API, however it seems this always returns a 400 response instructing to use the Beta endpoint.Here is the request I am sending to create a conditional access policy:
And the response:
If I send this same request to the beta endpoint, it is accepted:
This returns the expected 201 response:
I picked this up after noticing that the Portal is using the Beta endpoint here, presumably due to this issue?
The problem with using the Beta endpoint, is that it locks a policy into using "beta features" and you can no longer use the v1.0 API to work with it.
Downstream issue: hashicorp/terraform-provider-azuread#1417
The text was updated successfully, but these errors were encountered: