Unmatching schema New-MgIdentityConditionalAccessPolicy - ConditionalAccessPolicy type

NiklasLucht-5924 0 Reputation points
2025-02-05T07:33:16.5466667+00:00

Describe the bug

I'm using Get-MgIdentityConditionalAccessPolicy -ConditionalAccessPolicyId $conditionalAccessPolicyId to get a Conditional Access Policy (I've tried the HTTP alternative too). When I'm trying to use the JSON to create a new policy I get the following error message:

New-MgIdentityConditionalAccessPolicy_Create: 1007: Incoming ConditionalAccessPolicy object is null or does not match the schema of ConditionalAccessPolicy type. For examples, please see API documentation at https://docs.microsoft.com/en-us/graph/api/conditionalaccessroot-post-policies?view=graph-rest-1.0.

It looks like it's related to when an Authentication Strength policy is used, both a built-in and custom, since it works when trying with other policies including with "Require multifactor authentication" configured. That generates the below error, so it matches the schema.

New-MgIdentityConditionalAccessPolicy_Create: 1001: 'id' is a readonly field and cannot be updated. For examples, please see API documentation at https://docs.microsoft.com/en-us/graph/api/conditionalaccessroot-post-policies?view=graph-rest-1.0.

I know the JSON contains objects (such as id above) that shouldn't be there when creating a new policy, but I get the same error when removing those too.

Expected behavior

I'm expecting to be able to create a new Conditional Access policy based on the JSON I get as a response when using Get-MgIdentityConditionalAccessPolicy -ConditionalAccessPolicyId $conditionalAccessPolicyId

How to reproduce

$conditionalAccessPolicyId = (one using MFA Authentication Strenght)

$Policy = Get-MgIdentityConditionalAccessPolicy -ConditionalAccessPolicyId $conditionalAccessPolicyId

$json = @{
"conditions" = @{
"applications" = @{
"includeApplications" = @("All")
}
"clientAppTypes" = @("all")
}
"users" = @{
"excludeUsers" = @(
"f51aeea6-6eb4-48e8-90ae-502c4dcea45b",
"d1b8568f-1847-4772-b5bf-088636c7f96b",
"3c114ee3-f61d-4450-8f63-9370ad01d538"
)
"includeUsers" = @("All")
}
"createdDateTime" = "2024-01-15T08:23:31.3464793Z"
"displayName" = "MFA for all users"
"grantControls" = @{
"authenticationStrength" = @{
"allowedCombinations" = @(
"windowsHelloForBusiness",
"fido2",
"x509CertificateMultiFactor",
"deviceBasedPush",
"temporaryAccessPassOneTime",
"temporaryAccessPassMultiUse",
"password,microsoftAuthenticatorPush",
"password,softwareOath",
"password,hardwareOath",
"password,sms",
"password,voice",
"federatedMultiFactor",
"microsoftAuthenticatorPush,federatedSingleFactor",
"softwareOath,federatedSingleFactor",
"hardwareOath,federatedSingleFactor",
"sms,federatedSingleFactor",
"voice,federatedSingleFactor"
)
"createdDateTime" = "2021-12-01T08:00:00Z"
"description" = "Combinations of methods that satisfy strong authentication, such as a password + SMS"
"displayName" = "Multifactor authentication"
"id" = "00000000-0000-0000-0000-000000000002"
"modifiedDateTime" = "2021-12-01T08:00:00Z"
"policyType" = "builtIn"
"requirementsSatisfied" = "mfa"
}
"operator" = "OR"
}
}

New-MgIdentityConditionalAccessPolicy -BodyParameter $params

WORKING JSON (with MFA but not Authentication Strength)

$params = @{
"displayName" = "MFA for all users"
"conditions" = @{
"users" = @{
"includeUsers" = @("b04ca2b9-a0ed-470a-abae-1fcdd9068eae")
"excludeUsers" = @("e4f2b8a1-ee63-43cc-bc8a-d865ad9a29f6", "f51aeea6-6eb4-48e8-90ae-502c4dcea45b")
}
"applications" = @{
"includeApplications" = @("All")
}
"clientAppTypes" = @("all")
}
"state" = "disabled"
"@odata.context" = "https://graph.microsoft.com/v1.0/$metadata#identity/conditionalAccess/policies/$entity"
"grantControls" = @{
"builtInControls" = @("mfa")
"operator" = "OR"
}
}

Has anyone a solution for this Problem?

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
13,050 questions
0 comments No comments
{count} votes

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.