Grant Controls not working for B2C Directories

[PatMcHugh]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

terraform provider 2.13.0
terraform version 0.15.0

Affected Resource(s)

• azuread_conditional_access_policy

Terraform Configuration Files

resource "azuread_conditional_access_policy" "enforce_MFA" {
  display_name = "MFA"
  state        = "disabled"

  conditions {
    client_app_types    = ["all"]

    applications {
      included_applications = ["All"]
    }

    locations {
      included_locations = ["All"]
    }

    platforms {
      included_platforms = ["all"]
    }

    users {
      included_roles = ["All"]
      #excluded_users = ["GuestsOrExternalUsers"]
    }
  }

  grant_controls {
    operator          = "OR"
    built_in_controls = ["mfa"]
  }
}

Debug Output

Panic Output

Expected Behavior

A conditional access policy requiring MFA should have been created on a B2C tenant.

Actual Behavior

The following error occurs after running apply:

ConditionalAccessPoliciesClient.BaseClient.Post(): unexpected status 400 with
OData error: BadRequest: 1058: Unsupported control for B2C policies. Only
Block, Mfa, and MfaAndChangePassword grant controls are allowed.

Steps to Reproduce

1. terraform apply

Important Factoids

References

• #0000

[manicminer]

Hi @PatMcHugh, thanks for reporting this. I'll do some testing to try and reproduce. In the meantime, if you are able to post a debug log covering this error, that would be really helpful as it shows exactly what is being sent to the API. Thanks!

[dougan001]

Hey @manicminer - was doing some debug on this yesterday.

= Begin AzureAD Request ============================
Request ID: 637de6e4-0602-8923-a334-f08e6ab005bb

POST /v1.0/TENANTID/identity/conditionalAccess/policies HTTP/1.1
Host: graph.microsoft.com
User-Agent: HashiCorp Terraform/0.14.5 (+https://www.terraform.io) Terraform Plugin SDK/2.8.0 terraform-provider-azuread/2.13.0 Hamilton (Go-http-client/1.1) pid-222c6c49-1b0a-5959-a213-6608f9eb8820
Content-Length: 724
Accept: application/json; charset=utf-8; IEEE754Compatible=false
Content-Type: application/json; charset=utf-8
Odata-Maxversion: 4.0
Odata-Version: 4.0
Accept-Encoding: gzip

{"conditions":{"applications":{"includeApplications":["All"],"excludeApplications":[],"includeUserActions":[]},"clientAppTypes":["all"],"locations":{"includeLocations":["All"],"excludeLocations":[]},"platforms":{"includePlatforms":["all"],"excludePlatforms":[]},"signInRiskLevels":[],"userRiskLevels":[],"users":{"includeUsers":[],"excludeUsers":[],"includeGroups":[],"excludeGroups":[],"includeRoles":["62e90394-69f5-4237-9190-012177145e10","fdd7a751-b60b-444a-984c-02652fe8fa1c","fe930be7-5e62-47db-91af-98c3a49a38b1"],"excludeRoles":[]}},"displayName":"MFA KLP Non-Prod","grantControls":{"operator":"AND","builtInControls":["mfa"],"customAuthenticationFactors":[],"termsOfUse":[]},"sessionControls":{},"state":"disabled"}
============================= End AzureAD Request =============================: timestamp=2021-12-21T14:08:16.211Z
2021-12-21T14:08:16.959Z [INFO] plugin.terraform-provider-azuread_v2.13.0_x5: 2021/12/21 14:08:16 [DEBUG] ============================ Begin AzureAD Response ===========================
POST https://graph.microsoft.com/v1.0/TENANTID/identity/conditionalAccess/policies
Request ID: 637de6e4-0602-8923-a334-f08e6ab005bb

HTTP/1.1 400 Bad Request
Transfer-Encoding: chunked
Cache-Control: no-cache
Client-Request-Id: d573789f-07b2-4609-846e-9e656c5a3a00
Content-Type: application/json
Date: Tue, 21 Dec 2021 14:08:16 GMT
Request-Id: d573789f-07b2-4609-846e-9e656c5a3a00
Strict-Transport-Security: max-age=31536000
Vary: Accept-Encoding
X-Ms-Ags-Diagnostic: {"ServerInfo":{"DataCenter":"UK South","Slice":"E","Ring":"3","ScaleUnit":"002","RoleInstance":"LO1PEPF000004E7"}}

138
{"error":{"code":"BadRequest","message":"1058: Unsupported control for B2C policies. Only Block, Mfa, and MfaAndChangePassword grant controls are allowed.","innerError":{"date":"2021-12-21T14:08:16","request-id":"d573789f-07b2-4609-846e-9e656c5a3a00","client-request-id":"d573789f-07b2-4609-846e-9e656c5a3a00"}}}

I then used the graph explorer to narrow down the issue, the inclusion of "sessionControls":{} results in this error within the B2C tenants only - when "sessionControls": null or completely removed - the resource will create with no issue.

[manicminer]

@dougan001 Many thanks for the feedback, that helps narrow down the cause.

This may be challenging to resolve since the API has bugs around handling of the sessionControls field - in order to work round this we currently opt to explicitly specify that field when empty. When updating an existing CA policy, it's only possible to remove session controls from the policy by specifying an empty json object as the value.

I'm working on improving our testing setup for B2C directories which will need to be in place first, in order to get proper testing coverage on this to try and resolve.

[saviorand]

Would like to surface this. Very relevant for our use case

[mrpmorris]

Is there a solution or workaround for this?

[Masahigo]

I'm also curious about possible workaround.

[Brijeshoo7]

@manicminer & @PatMcHugh , I am facing similar issue, any update on the solution.?

[mrpmorris]

Nearly 2 years ago. It doesn't look like it will be fixed any time soon, if at all.