azuread_conditional_access_policy with grant_controls.0.built_in_controls.0 = "mfa" not working

[haakonw-ksat]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

Affected Resource(s)

• azuread_conditional_access_policy

Terraform Configuration Files

resource "azuread_conditional_access_policy" "ca02" {
  display_name = "CA02 - All Applications: Require MFA For admins When signing in"
  state        = "enabledForReportingButNotEnforced"

  conditions {
    client_app_types    = ["all"]

    applications {
      included_applications = ["All"]
    }

    locations {
      included_locations = ["All"]
    }

    platforms {
      included_platforms = ["all"]
    }

    users {
      excluded_users = local.emergency_account_ids
      included_roles = [
        "62e90394-69f5-4237-9190-012177145e10", # Global Administrator
        "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3", # Application Administrator
        "c4e39bd9-1100-46d3-8c65-fb160da0071f", # Authentication Administrator
        "b0f54661-2d74-4c50-afa3-1ec803f12efe", # Billing Administrator
        "158c047a-c907-4556-b7ef-446551a6b5f7", # Cloud Application Administrator
        "b1be1c3e-b65d-4f19-8427-f6fa0d97feb9", # Conditional Access Administrator
        "29232cdf-9323-42fd-ade2-1d097af3e4de", # Exchange Administrator
        "729827e3-9c14-49f7-bb1b-9608f156bbb8", # Helpdesk Administrator
        "966707d0-3269-4727-9be2-8c3a10f19b9d", # Password Administrator
        "7be44c8a-adaf-4e2a-84d6-ab2649e08a13", # Privileged Authentication Administrator
        "e8611ab8-c189-46e8-94e1-60213ab1f814", # Privileged Role Administrator
        "194ae4cb-b126-40b2-bd5b-6091b380977d", # Security Administrator
        "f28a1f50-f6e7-4571-818b-6a12f2af6b6c", # SharePoint Administrator
        "fe930be7-5e62-47db-91af-98c3a49a38b1"  # User Administrator
      ]
    }
  }

  grant_controls {
    operator          = "OR"
    built_in_controls = ["mfa"]
  }

  session_controls {
    disable_resilience_defaults               = false
    sign_in_frequency                         = 10
    sign_in_frequency_period                  = "hours"
  }
}

Expected Behavior

The terraform configuration should have created a Conditional Access policy

Actual Behavior

│ Error: Could not create conditional access policy
│ 
│   with azuread_conditional_access_policy.ca02,
│   on conditional-access.tf line 56, in resource "azuread_conditional_access_policy" "ca02":
│   56: resource "azuread_conditional_access_policy" "ca02" {
│ 
│ unexpected status 400 (400 Bad Request) with error: BadRequest: 1058: Unsupported control for B2C policies. Only Block, Mfa, and MfaAndChangePassword grant controls are allowed.

Using "Mfa" instead causes this error:

│ Error: expected grant_controls.0.built_in_controls.0 to be one of ["approvedApplication" "block" "compliantApplication" "compliantDevice" "domainJoinedDevice" "mfa" "passwordChange"], got Mfa
│ 
│   with azuread_conditional_access_policy.ca02,
│   on conditional-access.tf line 98, in resource "azuread_conditional_access_policy" "ca02":
│   98:     built_in_controls = ["Mfa"]

Steps to Reproduce

1. Log into an account with Conditional Access Administrator or Global Administrator
2. Create a terraform config file of a Condtional Access policy with "mfa" requirement.

grant_controls {
    operator          = "OR"
    built_in_controls = ["mfa"]
  }

3. terraform apply

References

• https://registry.terraform.io/providers/hashicorp/azuread/3.0.2/docs/resources/conditional_access_policy

[haakonw-ksat]

Looks like a replica of #704

[haakonw-ksat]

It seems one of your packages are now deprecated:

• File:

  terraform-provider-azuread/internal/services/conditionalaccess/conditional_access_policy_resource.go

  Line 22 in c8e29ad

  "github.com/manicminer/hamilton/msgraph"

• Deprecation: manicminer/hamilton@be74f29#diff-b335630551682c19a781afebcf4d07bf978fb1f8ac04c6bf87428ed5106870f5R3

This package holds the values that does not work in B2C conditional access policy:

• terraform-provider-azuread/internal/services/conditionalaccess/conditional_access_policy_resource.go

  Line 526 in c8e29ad

  msgraph.ConditionalAccessGrantControlMfa,

• https://pkg.go.dev/github.com/manicminer/hamilton/msgraph

The new library seems to hold the same issue though:

• https://github.com/hashicorp/go-azure-sdk/blob/2c82270fdd193c987ed3632082806e3c6fe000c1/microsoft-graph/common-types/beta/constant_conditionalaccessgrantcontrol.go#L20

[haakonw-ksat]

hashicorp/go-azure-sdk#1122