Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New-M365DSCDeltaReport: "No discrepancies have been found!" when adding an exclusion to Conditional Access Policies #4680

Closed
cstringham opened this issue May 15, 2024 · 3 comments
Closed

New-M365DSCDeltaReport: "No discrepancies have been found!" when adding an exclusion to Conditional Access Policies #4680

cstringham opened this issue May 15, 2024 · 3 comments

Comments

@cstringham
Copy link

Description of the issue

When running the New-M365DSCDeltaReport command against two reports, I am getting no discrepancies despite having added an account to the excluded users list for one of our policies. I have also tested this on Microsoft365DSC Version 1.24.515.2 to the same result.

Source Config

# Generated with Microsoft365DSC version 1.24.424.1
# For additional information on how to use Microsoft365DSC, please visit https://aka.ms/M365DSC
param (
)

Configuration REDACTED
{
    param (
    )

    $OrganizationName = $ConfigurationData.NonNodeData.OrganizationName

    Import-DscResource -ModuleName 'Microsoft365DSC' -ModuleVersion '1.24.424.1'

    Node localhost
    {
        AADConditionalAccessPolicy "AADConditionalAccessPolicy-BLOCK - Test Policy"
        {
            ApplicationId                        = $ConfigurationData.NonNodeData.ApplicationId;
            ApplicationSecret                    = New-Object System.Management.Automation.PSCredential ('ApplicationSecret', (ConvertTo-SecureString $ConfigurationData.NonNodeData.ApplicationSecret -AsPlainText -Force));
            AuthenticationContexts               = @();
            BuiltInControls                      = @("block");
            ClientAppTypes                       = @("all");
            CloudAppSecurityType                 = "";
            CustomAuthenticationFactors          = @();
            DeviceFilterMode                     = "exclude";
            DeviceFilterRule                     = "device.deviceOwnership -eq `"Company`" -and device.isCompliant -eq True -and device.trustType -eq `"AzureAD`"";
            DisplayName                          = "BLOCK - Test Policy";
            Ensure                               = "Present";
            ExcludeApplications                  = @();
            ExcludeExternalTenantsMembers        = @();
            ExcludeExternalTenantsMembershipKind = "";
            ExcludeGroups                        = @("Baseline - CA Exclusions");
            ExcludeLocations                     = @();
            ExcludePlatforms                     = @();
            ExcludeRoles                         = @();
            ExcludeUsers                         = @();
            GrantControlOperator                 = "OR";
            Id                                   = "fc5cacb4-22b2-469f-bd30-394e89446707";
            IncludeApplications                  = @("All");
            IncludeExternalTenantsMembers        = @();
            IncludeExternalTenantsMembershipKind = "";
            IncludeGroups                        = @();
            IncludeLocations                     = @();
            IncludePlatforms                     = @("windows","macOS");
            IncludeRoles                         = @();
            IncludeUserActions                   = @();
            IncludeUsers                         = @("All");
            PersistentBrowserMode                = "";
            SignInFrequencyType                  = "";
            SignInRiskLevels                     = @();
            State                                = "disabled";
            TenantId                             = $OrganizationName;
            UserRiskLevels                       = @();
        }
    }
}

REDACTED -ConfigurationData .\ConfigurationData.psd1

Destination Config

# Generated with Microsoft365DSC version 1.24.424.1
# For additional information on how to use Microsoft365DSC, please visit https://aka.ms/M365DSC
param (
)

Configuration REDACTED
{
    param (
    )

    $OrganizationName = $ConfigurationData.NonNodeData.OrganizationName

    Import-DscResource -ModuleName 'Microsoft365DSC' -ModuleVersion '1.24.424.1'

    Node localhost
    {
        AADConditionalAccessPolicy "AADConditionalAccessPolicy-BLOCK - Test Policy"
        {
            ApplicationId                        = $ConfigurationData.NonNodeData.ApplicationId;
            ApplicationSecret                    = New-Object System.Management.Automation.PSCredential ('ApplicationSecret', (ConvertTo-SecureString $ConfigurationData.NonNodeData.ApplicationSecret -AsPlainText -Force));
            AuthenticationContexts               = @();
            BuiltInControls                      = @("block");
            ClientAppTypes                       = @("all");
            CloudAppSecurityType                 = "";
            CustomAuthenticationFactors          = @();
            DeviceFilterMode                     = "exclude";
            DeviceFilterRule                     = "device.deviceOwnership -eq `"Company`" -and device.isCompliant -eq True -and device.trustType -eq `"AzureAD`"";
            DisplayName                          = "BLOCK - Test Policy";
            Ensure                               = "Present";
            ExcludeApplications                  = @();
            ExcludeExternalTenantsMembers        = @();
            ExcludeExternalTenantsMembershipKind = "";
            ExcludeGroups                        = @("Baseline - CA Exclusions");
            ExcludeLocations                     = @();
            ExcludePlatforms                     = @();
            ExcludeRoles                         = @();
            ExcludeUsers                         = @("[email protected]");
            GrantControlOperator                 = "OR";
            Id                                   = "fc5cacb4-22b2-469f-bd30-394e89446707";
            IncludeApplications                  = @("All");
            IncludeExternalTenantsMembers        = @();
            IncludeExternalTenantsMembershipKind = "";
            IncludeGroups                        = @();
            IncludeLocations                     = @();
            IncludePlatforms                     = @("windows","macOS");
            IncludeRoles                         = @();
            IncludeUserActions                   = @();
            IncludeUsers                         = @("All");
            PersistentBrowserMode                = "";
            SignInFrequencyType                  = "";
            SignInRiskLevels                     = @();
            State                                = "disabled";
            TenantId                             = $OrganizationName;
            UserRiskLevels                       = @();
        }
    }
}

REDACTED -ConfigurationData .\ConfigurationData.psd1

HTML Delta Report

image

Microsoft 365 DSC Version

V1.24.424.1

Which workloads are affected

Azure Active Directory (Entra ID)

The DSC configuration

No response

Verbose logs showing the problem

No response

Environment Information + PowerShell Version

OsName               : Microsoft Windows 11 Enterprise
OsOperatingSystemSKU : EnterpriseEdition
OsArchitecture       : 64-bit
WindowsVersion       : 2009
WindowsBuildLabEx    : 22621.1.amd64fre.ni_release.220506-1250
OsLanguage           : en-US
OsMuiLanguages       : {en-US}

Name                           Value
----                           -----
PSVersion                      5.1.22621.2506
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.22621.2506
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
@cstringham
Copy link
Author

From what I can tell, this seems to be happening once the Initialize-M365DSCReporting function calls the DSCParser module using ConvertTo-DSCObject. The file content that is being passed through doesn't seem to play nice with the DSCParser module, as line 345 of the ConvertTo-DSCObject function ($Config = $AST.Find({$Args[0].GetType().Name -eq 'ConfigurationDefinitionAst'}, $False)) returns a null value causing the comparison to happen between two null values.

Not sure if this is a problem with the configs that the Microsoft365DSC module is creating or with how the DSCParser module is handling the configs. I can create an issue with the DSCParser module if that seems to be what is causing the issue.

@cstringham
Copy link
Author

Digging into it, I have been using the tenant ID in the configuration name. The issues that I was running into seem to be because I had "-" in the name of the configuration...

@Raimer1988
Copy link

Raimer1988 commented Jun 25, 2024
edited
Loading

Digging into it, I have been using the tenant ID in the configuration name. The issues that I was running into seem to be because I had "-" in the name of the configuration...

@cstringham I'm experiencing the same issue.
I tried removing all "-" as well as "_" from the export cmdlet, but it did not help.

I'm getting the same issue when I'm testing with these cmdlets:
Export-M365DSCConfiguration -Components @("AADConditionalAccessPolicy", "SpoSharingSettings") -ApplicationId 'redacted' -CertificateThumbprint 'redacted' -TenantId 'redacted' -Path "C:\Temp\Approved\" -FileName "TestApproved.ps1"

Export-M365DSCConfiguration -Components @("AADConditionalAccessPolicy", "SpoSharingSettings") -ApplicationId 'redacted' -CertificateThumbprint 'redacted' -TenantId 'redacted' -Path "C:\Temp\Not Approved\" -FileName "Test.ps1"

New-M365DSCDeltaReport -Source "C:\Temp\Approved\TestApproved.ps1" -Destination "C:\Temp\Not Approved\Test.ps1" -OutputPath "C:\Temp\delta.html" -Type HTML

The only place left, where I can find any "-" is in the name of the actual Conditional Access policy. Could that be the cause?
Any help or pointing in the right direction would be greatly appreciated.

@Raimer1988 Raimer1988 mentioned this issue Jun 26, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Raimer1988 @cstringham