Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unexpected behaviour with session_controls #1235

Closed
dankitch opened this issue Oct 30, 2023 · 5 comments · Fixed by #1382
Closed

Unexpected behaviour with session_controls #1235

dankitch opened this issue Oct 30, 2023 · 5 comments · Fixed by #1382
Labels
bug feature/conditional-access

Comments

@dankitch
Copy link

dankitch commented Oct 30, 2023
edited
Loading

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

Terraform: 1.6.2
AzureAD: 2.45.0

Affected Resource(s)

  • azuread_conditional_access_policy

Problem

In one of my CA policies, I am setting the application_enforced_restrictions_enabled to true. This is the only session control defined in this particular policy.

Today, I noticed that when performing a plan, the following session_controls are now "added":

  • sign_in_frequency_authentication_type = "primaryAndSecondaryAuthentication"
  • sign_in_frequency_interval = "timeBased"

Terraform plan output

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:


  # azuread_conditional_access_policy.CA004 will be updated in-place
  ~ resource "azuread_conditional_access_policy" "CA004" {
        id           = "policyId"
        # (2 unchanged attributes hidden)

      ~ session_controls {
          + sign_in_frequency_authentication_type     = "primaryAndSecondaryAuthentication"
          + sign_in_frequency_interval                = "timeBased"
            # (3 unchanged attributes hidden)
        }

        # (1 unchanged block hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Expected Behavior

Expected behaviour is no change to the policy. I haven't defined these additional session controls in my terraform configuration.

Policy configuration


resource "azuread_conditional_access_policy" "CA004" {
  display_name = "${var.tenant} - ${local.policy4.sequence_number} - ${local.policy4.personas_groups} - ${local.policy4.cloud_app_target} : ${local.policy4.response}"
  state        = "enabled"
  conditions {
    client_app_types = ["all"]
    // sign_in_risk_levels = []
    // user_risk_levels    = []
    applications {
      // excluded_applications = []
      included_applications = ["Office365"]
      // included_user_actions = []
    }
    platforms {
      // excluded_platforms = []
      included_platforms = ["all"]
    }
    users {
      excluded_groups = [var.group1]
      // excluded_roles  = []
      // excluded_users  = []
      included_groups = [var.group2]
      // included_roles  = []
      // included_users  = []
    }
  }
  session_controls {
    application_enforced_restrictions_enabled = true
    // cloud_app_security_policy                 = null
    // persistent_browser_mode                   = null
    // sign_in_frequency                         = 0
    // sign_in_frequency_period                  = null
  }

}

Actual Behavior

After performing an apply, the state file contains these new session_controls, but when looking at the the policy in the azure portal, it looks as I would expected. There's no visible change to the policy, but it is unclear at this stage what effect these additional session controls could be having on the policy.
@manicminer
Copy link
Contributor

manicminer commented Oct 30, 2023
edited
Loading

@dankitch Thanks for reporting this. We added support for session controls in v2.45 under the assumption that these were defaulted in all CAPs - which we observed during testing.

Would you be able to post a copy of your policy as returned by the API, e.g. https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies/3aa40000-ac1d-0000-9534-aa9e00000000

If the policy has already been updated by v2.45, if you could possibly post a copy of a policy that hasn't yet been updated by this version that'd be really appreciated. Preferably an older policy, and maybe even created outside of Terraform initially if you have any that fit these criteria.

@dankitch
Copy link
Author

@manicminer Thanks the response. Here is a copy of the policy which has been provisioned using azuread v2.44.1:

v2.44.1

"id": "policyId",
    "templateId": null,
    "displayName": " TEST - LAB - CA004 - All Device Platforms - All Clients - Office 365 : Use App Enforced Restrictions",
    "createdDateTime": "2023-10-30T16:11:01.9842414Z",
    "modifiedDateTime": null,
    "state": "enabled",
    "grantControls": null,
    "conditions": {
        "userRiskLevels": [],
        "signInRiskLevels": [],
        "clientAppTypes": [
            "all"
        ],
        "servicePrincipalRiskLevels": [],
        "locations": null,
        "devices": null,
        "clientApplications": null,
        "applications": {
            "includeApplications": [
                "Office365"
            ],
            "excludeApplications": [],
            "includeUserActions": [],
            "includeAuthenticationContextClassReferences": [],
            "applicationFilter": null
        },
        "users": {
            "includeUsers": [],
            "excludeUsers": [],
            "includeGroups": [
                "dc8108db-266b-421d-9230-6fa6b428b0fb"
            ],
            "excludeGroups": [
                "11908e9b-e7b6-4a6d-8950-88810ac3870c",
                "09946bda-a090-41ef-a2fc-0884a13d2cff",
                "e58216ac-9dd8-47d8-bbd8-58497dc94a5d"
            ],
            "includeRoles": [],
            "excludeRoles": [],
            "includeGuestsOrExternalUsers": null,
            "excludeGuestsOrExternalUsers": null
        },
        "platforms": {
            "includePlatforms": [
                "all"
            ],
            "excludePlatforms": []
        }
    },
    "sessionControls": {
        "disableResilienceDefaults": null,
        "cloudAppSecurity": null,
        "signInFrequency": null,
        "persistentBrowser": null,
        "applicationEnforcedRestrictions": {
            "isEnabled": true
        }
    }
}

Here is a copy of the policy provisioned using azuread v2.45.0:

v2.45.0

"id": "policyId2",
    "templateId": null,
    "displayName": "LAB - CA004 - All Device Platforms - All Clients - Office 365 : Use App Enforced Restrictions",
    "createdDateTime": "2023-10-30T16:21:03.2365066Z",
    "modifiedDateTime": "2023-10-30T16:23:49.3009612Z",
    "state": "enabled",
    "grantControls": null,
    "conditions": {
        "userRiskLevels": [],
        "signInRiskLevels": [],
        "clientAppTypes": [
            "all"
        ],
        "servicePrincipalRiskLevels": [],
        "locations": null,
        "devices": null,
        "clientApplications": null,
        "applications": {
            "includeApplications": [
                "Office365"
            ],
            "excludeApplications": [],
            "includeUserActions": [],
            "includeAuthenticationContextClassReferences": [],
            "applicationFilter": null
        },
        "users": {
            "includeUsers": [],
            "excludeUsers": [],
            "includeGroups": [
                "dc8108db-266b-421d-9230-6fa6b428b0fb"
            ],
            "excludeGroups": [
                "11908e9b-e7b6-4a6d-8950-88810ac3870c",
                "09946bda-a090-41ef-a2fc-0884a13d2cff",
                "e58216ac-9dd8-47d8-bbd8-58497dc94a5d"
            ],
            "includeRoles": [],
            "excludeRoles": [],
            "includeGuestsOrExternalUsers": null,
            "excludeGuestsOrExternalUsers": null
        },
        "platforms": {
            "includePlatforms": [
                "all"
            ],
            "excludePlatforms": []
        }
    },
    "sessionControls": {
        "disableResilienceDefaults": null,
        "cloudAppSecurity": null,
        "signInFrequency": null,
        "persistentBrowser": null,
        "applicationEnforcedRestrictions": {
            "isEnabled": true
        }
    }
}

Other than the displayName, createdDateTime, modifiedDateTime, and of course the policy id, both policies match.

However, when reviewing the state file, you can see the addition session controls in v.2.45.0. Below is a comparison:

v.2.44.1 state

"session_controls": [
              {
                "application_enforced_restrictions_enabled": true,
                "cloud_app_security_policy": "",
                "disable_resilience_defaults": false,
                "persistent_browser_mode": "",
                "sign_in_frequency": 0,
                "sign_in_frequency_period": ""
              }
            ]

v2.45.0 state

"session_controls": [
              {
                "application_enforced_restrictions_enabled": true,
                "cloud_app_security_policy": "",
                "disable_resilience_defaults": false,
                "persistent_browser_mode": "",
                "sign_in_frequency": 0,
                "sign_in_frequency_authentication_type": "primaryAndSecondaryAuthentication",
                "sign_in_frequency_interval": "timeBased",
                "sign_in_frequency_period": ""
              }
            ]

Unfortunately, I don't have any policies created outside of terraform anymore.

Is it worth creating one using the GUI to compare against, or will that not make much difference?

Thanks!

@MattGarnerAWR
Copy link
Contributor

MattGarnerAWR commented Nov 1, 2023
edited
Loading

I am getting the same issue, if do a terraform apply these settings appear to be applied, but then they re-appear in the plan (not idempotent).

@manicminer manicminer added the bug label Nov 13, 2023
@szymonbr
Copy link

szymonbr commented Nov 16, 2023
edited
Loading

I get the same issue for a policy where the only setting of in session_controls section is persistent_browser_mode = "never". I don't need neither sign_in_frequency_authentication_type nor sign_in_frequency_interval.
Provider ver.: v2.45.0

@EricGolbek
Copy link

EricGolbek commented Mar 28, 2024
edited
Loading

bug is caused by the default values on the optional parameter
lines 585 and lines 595

terraform-provider-azuread/internal/services/conditionalaccess/conditional_access_policy_resource.go

Line 585 in 7b69d83

Default: msgraph.ConditionalAccessAuthenticationTypePrimaryAndSecondaryAuthentication,

this line also is related and sets signin frequency it to 0 which may trigger it to use defaults

terraform-provider-azuread/internal/services/conditionalaccess/conditionalaccess.go

Line 158 in 7b69d83

signInFrequency := 0

here is the block for session controls sign in frequency isEnabled can be false
[SignInFrequency ]: signInFrequencySessionControl
[(Any) ]: This indicates any property can be added to this object.
[IsEnabled <Boolean?>]: Specifies whether the session control is enabled.
[AuthenticationType ]: signInFrequencyAuthenticationType
[FrequencyInterval ]: signInFrequencyInterval
[Type ]: signinFrequencyType
[Value <Int32?>]: The number of days or hours.

reference
https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.identity.signins/new-mgidentityconditionalaccesspolicy?view=graph-powershell-1.0

@manicminer manicminer mentioned this issue May 16, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug feature/conditional-access
Projects
None yet
Milestone
No milestone
5 participants
@manicminer @szymonbr @EricGolbek @MattGarnerAWR @dankitch