Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Get-MgBetaIdentityConditionalAccessPolicy does not return ExcludeGuestsOrExternalUsers "members" #3011

Open
jonwbstr opened this issue Oct 25, 2024 · 9 comments

Comments

@jonwbstr
Copy link

jonwbstr commented Oct 25, 2024

Describe the bug

I want to create a conditional access policy that excludes a specific service provider, to generate the required JSON body I created the policy in the user interface and fetched the policy via Get-MgBetaIdentityConditionalAccessPolicy. However, the Microsoft.Graph.Beta.PowerShell.Models.MicrosoftGraphConditionalAccessPolicy does not contain the "members" property and values. I was able to find the body I need by using the -debug parameter. I suspect this issue affects include and exclude for more than just serviceproviders but have not confirmed that.

"excludeGuestsOrExternalUsers": {
        "guestOrExternalUserTypes": "serviceProvider",
        "externalTenants": {
          "@odata.type": "#microsoft.graph.conditionalAccessEnumeratedExternalTenants",
          "membershipKind": "enumerated",
          "members": [
            "xxxxxxxxx-xxxx-xxxx-xxxxx-xxxxxxxxxxxxx"
          ]
        }
      }

Expected behavior

The Microsoft.Graph.Beta.PowerShell.Models.MicrosoftGraphConditionalAccessPolicy object should contain the excluded members.

How to reproduce

  1. Using the entra ID portal, create a conditional access policy with an excluded service provider
  2. Run the command $p = Get-MgBetaIdentityConditionalAccessPolicy -id
  3. Look for the tenantID that was excluded and you will see that it is not present. It should be at:
    $p.conditions.users.ExcludeGuestsOrExternalUsers

SDK Version

2.24.0

Latest version known to work for scenario above?

No response

Known Workarounds

None

Debug output

Click to expand log ```
</details>


### Configuration

Name                           Value
----                           -----
PSVersion                      7.4.3
PSEdition                      Core
GitCommitId                    7.4.3
OS                             Microsoft Windows 10.0.14393
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

### Other information
No other information
@jonwbstr jonwbstr added status:waiting-for-triage An issue that is yet to be reviewed or assigned type:bug A broken experience labels Oct 25, 2024
@timayabi2020
Copy link
Contributor

timayabi2020 commented Oct 28, 2024

Hi @jonwbstr thanks for identifying and raising this issue. To navigate around the default properties being returned you can use that command or Invoke-MgGraphRequest, assign the result to a variable and use the dot . operator to navigate through the properties that you need.

image image

@timayabi2020 timayabi2020 added Status: Needs Investigation status:waiting-for-author-feedback Issue that we've responded but needs author feedback to close and removed status:waiting-for-triage An issue that is yet to be reviewed or assigned type:bug A broken experience Status: Needs Investigation labels Oct 28, 2024
@timayabi2020
Copy link
Contributor

@jonwbstr please note that PowerShell does not support dynamic output table format for C# based cmdlets - c# - How do you set the default output format for a PowerShell Cmdlet? - Stack Overflow. For that reason, it is recommended that you add |Format-List at the end of your command to get a different view from the default fixed output table format. For more information, please go through this document. Format Azure PowerShell cmdlet output | Microsoft Learn

@jonwbstr
Copy link
Author

Hi Tim, I'm not sure how that dynamic output table comment it related to the issue, should I have included that in the initial issue description?

@microsoft-github-policy-service microsoft-github-policy-service bot added Needs: Attention 👋 and removed status:waiting-for-author-feedback Issue that we've responded but needs author feedback to close labels Oct 28, 2024
@timayabi2020
Copy link
Contributor

@jonwbstr the issue to do with dynamic outputs is beyond this scope for now. Kindly let me know if you are able to get the property based on the recommendations I've provided.

@timayabi2020 timayabi2020 added status:waiting-for-author-feedback Issue that we've responded but needs author feedback to close and removed Needs: Attention 👋 labels Oct 28, 2024
@jonwbstr
Copy link
Author

Hi Tim, yes Invoke-MGGraphRequest has all the properties

$t = Invoke-MgGraphRequest -uri "https://graph.microsoft.com/beta/identity/conditionalAccess/policies/<POLICY_ID>"

image

@microsoft-github-policy-service microsoft-github-policy-service bot added Needs: Attention 👋 and removed status:waiting-for-author-feedback Issue that we've responded but needs author feedback to close labels Oct 29, 2024
@timayabi2020
Copy link
Contributor

@jonwbstr Get-MgBetaIdentityConditionalAccessPolicy also works. I've just used a different property from yours because that is where I have data. Please try it.
image

@timayabi2020 timayabi2020 added status:waiting-for-author-feedback Issue that we've responded but needs author feedback to close and removed Needs: Attention 👋 labels Oct 30, 2024
@jonwbstr
Copy link
Author

jonwbstr commented Oct 30, 2024

Hi Tim, would you more detailed steps on how to create the property with data that I'm having an issue with so we can troubleshoot the same thing?

Below is attempts to get data from the same property using the two methods discussed in this ticket. The output for the two commands is different. Invoke-MgGrahRequest contains data while Get-MgBetaIdentityConditionalAccessPolicy does not.

PS C:\> $p = Get-MgBetaIdentityConditionalAccessPolicy -ConditionalAccessPolicyId d60c2778-1470-4a1b-9f61-3f20e2fbf621
PS C:\> $t = Invoke-MgGraphRequest -uri "https://graph.microsoft.com/beta/identity/conditionalAccess/policies/d60c2778-1470-4a1b-9f61-3f20e2fbf621"
PS C:\> $t.conditions.users.excludeguestsorexternalusers|convertto-json
{
  "externalTenants": {
    "members": [
      "xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxxxxxx"
    ],
    "@odata.type": "#microsoft.graph.conditionalAccessEnumeratedExternalTenants",
    "membershipKind": "enumerated"
  },
  "guestOrExternalUserTypes": "serviceProvider"
}
PS C:\> $p.conditions.users.excludeguestsorexternalusers|convertto-json
{
  "ExternalTenants": {
    "MembershipKind": "enumerated"
  },
  "GuestOrExternalUserTypes": "serviceProvider",
  "AdditionalProperties": {}
}

@microsoft-github-policy-service microsoft-github-policy-service bot added Needs: Attention 👋 and removed status:waiting-for-author-feedback Issue that we've responded but needs author feedback to close labels Oct 30, 2024
@jonwbstr
Copy link
Author

image

@jonwbstr
Copy link
Author

I mentioned that I suspected this affected both include and exclude, so I built another to confirm that for us. TLDR; yes same issue for both properties. $p is the command that is missing data, $t is the command where the data is not missing. Look for the green lines in the second object

PS C:\> $t = Invoke-MgGraphRequest -uri "https://graph.microsoft.com/beta/identity/conditionalAccess/policies/4d93eaf9-7140-492c-b4c4-4833fd69c087"
PS C:\> $p = Get-MgBetaIdentityConditionalAccessPolicy -ConditionalAccessPolicyId 4d93eaf9-7140-492c-b4c4-4833fd69c087
PS C:\> $p|convertto-json -depth 100
{
  "Conditions": {
    "Applications": {
      "ApplicationFilter": {
        "Mode": null,
        "Rule": null
      },
      "ExcludeApplications": [],
      "IncludeApplications": [
        "All"
      ],
      "IncludeAuthenticationContextClassReferences": [],
      "IncludeUserActions": []
    },
    "AuthenticationFlows": {
      "TransferMethods": null
    },
    "ClientAppTypes": [
      "all"
    ],
    "ClientApplications": {
      "ExcludeServicePrincipals": null,
      "IncludeServicePrincipals": null,
      "ServicePrincipalFilter": {
        "Mode": null,
        "Rule": null
      }
    },
    "DeviceStates": {
      "ExcludeStates": null,
      "IncludeStates": null
    },
    "Devices": {
      "DeviceFilter": {
        "Mode": null,
        "Rule": null
      },
      "ExcludeDeviceStates": null,
      "ExcludeDevices": null,
      "IncludeDeviceStates": null,
      "IncludeDevices": null
    },
    "InsiderRiskLevels": null,
    "Locations": {
      "ExcludeLocations": null,
      "IncludeLocations": null
    },
    "Platforms": {
      "ExcludePlatforms": null,
      "IncludePlatforms": null
    },
    "ServicePrincipalRiskLevels": null,
    "SignInRiskLevels": [],
    "UserRiskLevels": [],
    "Users": {
      "ExcludeGroups": [],
      "ExcludeGuestsOrExternalUsers": {
        "ExternalTenants": {
          "MembershipKind": "enumerated"
        },
        "GuestOrExternalUserTypes": "serviceProvider"
      },
      "ExcludeRoles": [],
      "ExcludeUsers": [],
      "IncludeGroups": [],
      "IncludeGuestsOrExternalUsers": {
        "ExternalTenants": {
          "MembershipKind": "enumerated"
        },
        "GuestOrExternalUserTypes": "otherExternalUser"
      },
      "IncludeRoles": [],
      "IncludeUsers": []
    }
  },
  "CreatedDateTime": "2024-10-30T09:29:18.197944Z",
  "Description": null,
  "DisplayName": "Vendor Allow",
  "GrantControls": {
    "AuthenticationStrength": {
      "AllowedCombinations": [
        "windowsHelloForBusiness",
        "fido2",
        "x509CertificateMultiFactor",
        "deviceBasedPush"
      ],
      "CombinationConfigurations": [],
      "CreatedDateTime": "2021-12-01T08:00:00Z",
      "Description": "Passwordless methods that satisfy strong authentication, such as Passwordless sign-in with the Microsoft Authenticator",
      "DisplayName": "Passwordless MFA",
      "Id": "00000000-0000-0000-0000-000000000003",
      "ModifiedDateTime": "2021-12-01T08:00:00Z",
      "PolicyType": "builtIn",
      "RequirementsSatisfied": "mfa"
    },
    "BuiltInControls": [],
    "CustomAuthenticationFactors": [],
    "Operator": "OR",
    "TermsOfUse": []
  },
  "Id": "4d93eaf9-7140-492c-b4c4-4833fd69c087",
  "ModifiedDateTime": "2024-10-30T09:31:18.0311806Z",
  "SessionControls": {
    "ApplicationEnforcedRestrictions": {
      "IsEnabled": null
    },
    "CloudAppSecurity": {
      "CloudAppSecurityType": null,
      "IsEnabled": null
    },
    "ContinuousAccessEvaluation": {
      "Mode": null
    },
    "DisableResilienceDefaults": null,
    "PersistentBrowser": {
      "IsEnabled": null,
      "Mode": null
    },
    "SecureSignInSession": {
      "IsEnabled": null
    },
    "SignInFrequency": {
      "AuthenticationType": null,
      "FrequencyInterval": null,
      "IsEnabled": null,
      "Type": null,
      "Value": null
    }
  },
  "State": "enabledForReportingButNotEnforced",
  "AdditionalProperties": {
    "@odata.context": "https://graph.microsoft.com/beta/$metadata#identity/conditionalAccess/policies/$entity"
  }
}
PS C:\> $t|convertto-json -depth 100
{
  "createdDateTime": "2024-10-30T09:29:18.197944Z",
  "partialEnablementStrategy": null,
  "modifiedDateTime": "2024-10-30T09:31:18.0311806Z",
  "conditions": {
    "clientAppTypes": [
      "all"
    ],
    "userRiskLevels": [],
    "clientApplications": null,
    "platforms": null,
    "applications": {
      "includeAuthenticationContextClassReferences": [],
      "excludeApplications": [],
      "applicationFilter": null,
      "includeUserActions": [],
      "includeApplications": [
        "All"
      ]
    },
    "times": null,
    "deviceStates": null,
    "locations": null,
    "users": {
      "excludeGroups": [],
      "excludeRoles": [],
      "includeGroups": [],
      "includeGuestsOrExternalUsers": {
+        "externalTenants": {
+          "members": [
+            "10ce1e4b-e51d-47bc-b9f9-18dbed513b45"
+          ],
          "@odata.type": "#microsoft.graph.conditionalAccessEnumeratedExternalTenants",
          "membershipKind": "enumerated"
        },**
        "guestOrExternalUserTypes": "otherExternalUser"
      },
      **"excludeGuestsOrExternalUsers": {
        "externalTenants": {
+          "members": [
+            "10ce1e4b-e51d-47bc-b9f9-18dbed513b45"**
+          ],
          "@odata.type": "#microsoft.graph.conditionalAccessEnumeratedExternalTenants",
          "membershipKind": "enumerated"
        },
        "guestOrExternalUserTypes": "serviceProvider"
      },
      "includeRoles": [],
      "includeUsers": [],
      "excludeUsers": []
    },
    "devices": null,
    "signInRiskLevels": []
  },
  "@odata.context": "https://graph.microsoft.com/beta/$metadata#identity/conditionalAccess/policies/$entity",
  "sessionControls": null,
  "displayName": "Vendor Allow",
  "templateId": null,
  "id": "4d93eaf9-7140-492c-b4c4-4833fd69c087",
  "grantControls": {
    "authenticationStrength": {
      "createdDateTime": "2021-12-01T08:00:00Z",
      "modifiedDateTime": "2021-12-01T08:00:00Z",
      "combinationConfigurations@odata.context": "https://graph.microsoft.com/beta/$metadata#identity/conditionalAccess/policies('4d93eaf9-7140-492c-b4c4-4833fd69c087')/grantControls/authenticationStrength/combinationConfigurations",
      "displayName": "Passwordless MFA",
      "requirementsSatisfied": "mfa",
      "policyType": "builtIn",
      "id": "00000000-0000-0000-0000-000000000003",
      "description": "Passwordless methods that satisfy strong authentication, such as Passwordless sign-in with the Microsoft Authenticator",
      "combinationConfigurations": [],
      "allowedCombinations": [
        "windowsHelloForBusiness",
        "fido2",
        "x509CertificateMultiFactor",
        "deviceBasedPush"
      ]
    },
    "authenticationStrength@odata.context": "https://graph.microsoft.com/beta/$metadata#identity/conditionalAccess/policies('4d93eaf9-7140-492c-b4c4-4833fd69c087')/grantControls/authenticationStrength/$entity",
    "termsOfUse": [],
    "operator": "OR",
    "customAuthenticationFactors": [],
    "builtInControls": []
  },
  "state": "enabledForReportingButNotEnforced"
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants