-
Notifications
You must be signed in to change notification settings - Fork 172
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Get-MgBetaIdentityConditionalAccessPolicy does not return ExcludeGuestsOrExternalUsers "members" #3011
Comments
Hi @jonwbstr thanks for identifying and raising this issue. To navigate around the default properties being returned you can use that command or |
@jonwbstr please note that PowerShell does not support dynamic output table format for C# based cmdlets - c# - How do you set the default output format for a PowerShell Cmdlet? - Stack Overflow. For that reason, it is recommended that you add |
Hi Tim, I'm not sure how that dynamic output table comment it related to the issue, should I have included that in the initial issue description? |
@jonwbstr the issue to do with dynamic outputs is beyond this scope for now. Kindly let me know if you are able to get the property based on the recommendations I've provided. |
@jonwbstr |
Hi Tim, would you more detailed steps on how to create the property with data that I'm having an issue with so we can troubleshoot the same thing? Below is attempts to get data from the same property using the two methods discussed in this ticket. The output for the two commands is different. Invoke-MgGrahRequest contains data while Get-MgBetaIdentityConditionalAccessPolicy does not.
|
I mentioned that I suspected this affected both include and exclude, so I built another to confirm that for us. TLDR; yes same issue for both properties. $p is the command that is missing data, $t is the command where the data is not missing. Look for the green lines in the second object PS C:\> $t = Invoke-MgGraphRequest -uri "https://graph.microsoft.com/beta/identity/conditionalAccess/policies/4d93eaf9-7140-492c-b4c4-4833fd69c087"
PS C:\> $p = Get-MgBetaIdentityConditionalAccessPolicy -ConditionalAccessPolicyId 4d93eaf9-7140-492c-b4c4-4833fd69c087
PS C:\> $p|convertto-json -depth 100
{
"Conditions": {
"Applications": {
"ApplicationFilter": {
"Mode": null,
"Rule": null
},
"ExcludeApplications": [],
"IncludeApplications": [
"All"
],
"IncludeAuthenticationContextClassReferences": [],
"IncludeUserActions": []
},
"AuthenticationFlows": {
"TransferMethods": null
},
"ClientAppTypes": [
"all"
],
"ClientApplications": {
"ExcludeServicePrincipals": null,
"IncludeServicePrincipals": null,
"ServicePrincipalFilter": {
"Mode": null,
"Rule": null
}
},
"DeviceStates": {
"ExcludeStates": null,
"IncludeStates": null
},
"Devices": {
"DeviceFilter": {
"Mode": null,
"Rule": null
},
"ExcludeDeviceStates": null,
"ExcludeDevices": null,
"IncludeDeviceStates": null,
"IncludeDevices": null
},
"InsiderRiskLevels": null,
"Locations": {
"ExcludeLocations": null,
"IncludeLocations": null
},
"Platforms": {
"ExcludePlatforms": null,
"IncludePlatforms": null
},
"ServicePrincipalRiskLevels": null,
"SignInRiskLevels": [],
"UserRiskLevels": [],
"Users": {
"ExcludeGroups": [],
"ExcludeGuestsOrExternalUsers": {
"ExternalTenants": {
"MembershipKind": "enumerated"
},
"GuestOrExternalUserTypes": "serviceProvider"
},
"ExcludeRoles": [],
"ExcludeUsers": [],
"IncludeGroups": [],
"IncludeGuestsOrExternalUsers": {
"ExternalTenants": {
"MembershipKind": "enumerated"
},
"GuestOrExternalUserTypes": "otherExternalUser"
},
"IncludeRoles": [],
"IncludeUsers": []
}
},
"CreatedDateTime": "2024-10-30T09:29:18.197944Z",
"Description": null,
"DisplayName": "Vendor Allow",
"GrantControls": {
"AuthenticationStrength": {
"AllowedCombinations": [
"windowsHelloForBusiness",
"fido2",
"x509CertificateMultiFactor",
"deviceBasedPush"
],
"CombinationConfigurations": [],
"CreatedDateTime": "2021-12-01T08:00:00Z",
"Description": "Passwordless methods that satisfy strong authentication, such as Passwordless sign-in with the Microsoft Authenticator",
"DisplayName": "Passwordless MFA",
"Id": "00000000-0000-0000-0000-000000000003",
"ModifiedDateTime": "2021-12-01T08:00:00Z",
"PolicyType": "builtIn",
"RequirementsSatisfied": "mfa"
},
"BuiltInControls": [],
"CustomAuthenticationFactors": [],
"Operator": "OR",
"TermsOfUse": []
},
"Id": "4d93eaf9-7140-492c-b4c4-4833fd69c087",
"ModifiedDateTime": "2024-10-30T09:31:18.0311806Z",
"SessionControls": {
"ApplicationEnforcedRestrictions": {
"IsEnabled": null
},
"CloudAppSecurity": {
"CloudAppSecurityType": null,
"IsEnabled": null
},
"ContinuousAccessEvaluation": {
"Mode": null
},
"DisableResilienceDefaults": null,
"PersistentBrowser": {
"IsEnabled": null,
"Mode": null
},
"SecureSignInSession": {
"IsEnabled": null
},
"SignInFrequency": {
"AuthenticationType": null,
"FrequencyInterval": null,
"IsEnabled": null,
"Type": null,
"Value": null
}
},
"State": "enabledForReportingButNotEnforced",
"AdditionalProperties": {
"@odata.context": "https://graph.microsoft.com/beta/$metadata#identity/conditionalAccess/policies/$entity"
}
}
PS C:\> $t|convertto-json -depth 100
{
"createdDateTime": "2024-10-30T09:29:18.197944Z",
"partialEnablementStrategy": null,
"modifiedDateTime": "2024-10-30T09:31:18.0311806Z",
"conditions": {
"clientAppTypes": [
"all"
],
"userRiskLevels": [],
"clientApplications": null,
"platforms": null,
"applications": {
"includeAuthenticationContextClassReferences": [],
"excludeApplications": [],
"applicationFilter": null,
"includeUserActions": [],
"includeApplications": [
"All"
]
},
"times": null,
"deviceStates": null,
"locations": null,
"users": {
"excludeGroups": [],
"excludeRoles": [],
"includeGroups": [],
"includeGuestsOrExternalUsers": {
+ "externalTenants": {
+ "members": [
+ "10ce1e4b-e51d-47bc-b9f9-18dbed513b45"
+ ],
"@odata.type": "#microsoft.graph.conditionalAccessEnumeratedExternalTenants",
"membershipKind": "enumerated"
},**
"guestOrExternalUserTypes": "otherExternalUser"
},
**"excludeGuestsOrExternalUsers": {
"externalTenants": {
+ "members": [
+ "10ce1e4b-e51d-47bc-b9f9-18dbed513b45"**
+ ],
"@odata.type": "#microsoft.graph.conditionalAccessEnumeratedExternalTenants",
"membershipKind": "enumerated"
},
"guestOrExternalUserTypes": "serviceProvider"
},
"includeRoles": [],
"includeUsers": [],
"excludeUsers": []
},
"devices": null,
"signInRiskLevels": []
},
"@odata.context": "https://graph.microsoft.com/beta/$metadata#identity/conditionalAccess/policies/$entity",
"sessionControls": null,
"displayName": "Vendor Allow",
"templateId": null,
"id": "4d93eaf9-7140-492c-b4c4-4833fd69c087",
"grantControls": {
"authenticationStrength": {
"createdDateTime": "2021-12-01T08:00:00Z",
"modifiedDateTime": "2021-12-01T08:00:00Z",
"[email protected]": "https://graph.microsoft.com/beta/$metadata#identity/conditionalAccess/policies('4d93eaf9-7140-492c-b4c4-4833fd69c087')/grantControls/authenticationStrength/combinationConfigurations",
"displayName": "Passwordless MFA",
"requirementsSatisfied": "mfa",
"policyType": "builtIn",
"id": "00000000-0000-0000-0000-000000000003",
"description": "Passwordless methods that satisfy strong authentication, such as Passwordless sign-in with the Microsoft Authenticator",
"combinationConfigurations": [],
"allowedCombinations": [
"windowsHelloForBusiness",
"fido2",
"x509CertificateMultiFactor",
"deviceBasedPush"
]
},
"[email protected]": "https://graph.microsoft.com/beta/$metadata#identity/conditionalAccess/policies('4d93eaf9-7140-492c-b4c4-4833fd69c087')/grantControls/authenticationStrength/$entity",
"termsOfUse": [],
"operator": "OR",
"customAuthenticationFactors": [],
"builtInControls": []
},
"state": "enabledForReportingButNotEnforced"
}
|
Describe the bug
I want to create a conditional access policy that excludes a specific service provider, to generate the required JSON body I created the policy in the user interface and fetched the policy via Get-MgBetaIdentityConditionalAccessPolicy. However, the Microsoft.Graph.Beta.PowerShell.Models.MicrosoftGraphConditionalAccessPolicy does not contain the "members" property and values. I was able to find the body I need by using the -debug parameter. I suspect this issue affects include and exclude for more than just serviceproviders but have not confirmed that.
Expected behavior
The Microsoft.Graph.Beta.PowerShell.Models.MicrosoftGraphConditionalAccessPolicy object should contain the excluded members.
How to reproduce
$p.conditions.users.ExcludeGuestsOrExternalUsers
SDK Version
2.24.0
Latest version known to work for scenario above?
No response
Known Workarounds
None
Debug output
Click to expand log
```The text was updated successfully, but these errors were encountered: