Share via

Conditional access - "Request malformed or incorrect" when creating new policy via Graph

mledk 20 Reputation points
2023-05-09T08:17:27.5333333+00:00

Hi

when trying to POST a new policy via the Beta API and defining authentication strength, it always returns the error shown in the title.

Is it because its not yet supported via code?

e.g. of json payload which fails:

{
    "displayName": "test",
    "state": "enabledForReportingButNotEnforced",
    "sessionControls": null,
    "conditions": {
        "userRiskLevels": [],
        "signInRiskLevels": [],
        "clientAppTypes": [
            "all"
        ],
        "platforms": null,
        "locations": null,
        "times": null,
        "deviceStates": null,
        "devices": null,
        "clientApplications": null,
        "applications": {
            "includeApplications": [
                "All"
            ],
            "excludeApplications": [],
            "includeUserActions": [],
            "includeAuthenticationContextClassReferences": [],
            "applicationFilter": null
        },
        "users": {
            "includeUsers": [
                "All"
            ],
            "excludeUsers": [],
            "includeGroups": [],
            "excludeGroups": [],
            "includeRoles": [],
            "excludeRoles": [],
            "includeGuestsOrExternalUsers": null,
            "excludeGuestsOrExternalUsers": null
        }
    },
    "grantControls": {
        "operator": "OR",
        "builtInControls": [],
        "customAuthenticationFactors": [],
        "termsOfUse": [],
        "authenticationStrength": {
            "id": "00000000-0000-0000-0000-000000000003",
            "displayName": "Passwordless MFA",
            "description": "Passwordless methods that satisfy strong authentication, such as Passwordless sign-in with the Microsoft Authenticator",
            "policyType": "builtIn",
            "requirementsSatisfied": "mfa",
            "allowedCombinations": [
                "windowsHelloForBusiness",
                "fido2",
                "x509CertificateMultiFactor",
                "deviceBasedPush"
            ]
        }
    }
}

And the error: image

Cheers

Microsoft Security | Microsoft Graph
0 comments
Accepted answer
  1. msft-gu 1,355 Reputation points
    2023-05-09T19:39:30.3833333+00:00

    Hi mledk,

    Good afternoon and thank you for your question. Yes, I assume that it is not yet supported because after also testing it on my end when I removed "authenticationStrength" and use MFA in builtInControls, it did work and provided me a 201 response.

    To add, "authenticationStrength" is not listed under the Create conditionalAccessPolicy in Example 3: Use all conditions/controls.

    If you wanted to request for the condition/control to be added, I suggest posting on Microsoft Graph Feedback Portal.

    I hope I was able to answer your question. If yes, please Upvote and marked this is an Accepted Answer. Thank you again for your question and have a great day!

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.