fix issue with state changes on CA deployment

JohnDuprey · JohnDuprey · commit 9a61b67a340e · 2025-09-11T23:05:22.000-04:00
ticket 27684272542
diff --git a/Modules/CIPPCore/Public/New-CIPPCAPolicy.ps1 b/Modules/CIPPCore/Public/New-CIPPCAPolicy.ps1
@@ -88,17 +88,17 @@ function New-CIPPCAPolicy {
 
     $displayname = ($RawJSON | ConvertFrom-Json).Displayname
 
-    $JSONObj = $RawJSON | ConvertFrom-Json | Select-Object * -ExcludeProperty ID, GUID, *time*
-    Remove-EmptyArrays $JSONObj
+    $JSONobj = $RawJSON | ConvertFrom-Json | Select-Object * -ExcludeProperty ID, GUID, *time*
+    Remove-EmptyArrays $JSONobj
     #Remove context as it does not belong in the payload.
     try {
-        $JsonObj.grantControls.PSObject.Properties.Remove('authenticationStrength@odata.context')
-        $JSONObj.templateId ? $JSONObj.PSObject.Properties.Remove('templateId') : $null
-        if ($JSONObj.conditions.users.excludeGuestsOrExternalUsers.externalTenants.Members) {
-            $JsonObj.conditions.users.excludeGuestsOrExternalUsers.externalTenants.PSObject.Properties.Remove('@odata.context')
+        $JSONobj.grantControls.PSObject.Properties.Remove('authenticationStrength@odata.context')
+        $JSONobj.templateId ? $JSONobj.PSObject.Properties.Remove('templateId') : $null
+        if ($JSONobj.conditions.users.excludeGuestsOrExternalUsers.externalTenants.Members) {
+            $JSONobj.conditions.users.excludeGuestsOrExternalUsers.externalTenants.PSObject.Properties.Remove('@odata.context')
         }
         if ($State -and $State -ne 'donotchange') {
-            $Jsonobj.state = $State
+            $JSONobj.state = $State
         }
     } catch {
         # no issues here.
@@ -108,18 +108,18 @@ function New-CIPPCAPolicy {
     if ($JSONobj.GrantControls.authenticationStrength.policyType -eq 'custom' -or $JSONobj.GrantControls.authenticationStrength.policyType -eq 'BuiltIn') {
         $ExistingStrength = New-GraphGETRequest -uri 'https://graph.microsoft.com/beta/identity/conditionalAccess/authenticationStrength/policies/' -tenantid $TenantFilter -asApp $true | Where-Object -Property displayName -EQ $JSONobj.GrantControls.authenticationStrength.displayName
         if ($ExistingStrength) {
-            $JSONObj.GrantControls.authenticationStrength = @{ id = $ExistingStrength.id }
+            $JSONobj.GrantControls.authenticationStrength = @{ id = $ExistingStrength.id }
 
         } else {
-            $Body = ConvertTo-Json -InputObject $JSONObj.GrantControls.authenticationStrength
+            $Body = ConvertTo-Json -InputObject $JSONobj.GrantControls.authenticationStrength
             $GraphRequest = New-GraphPOSTRequest -uri 'https://graph.microsoft.com/beta/identity/conditionalAccess/authenticationStrength/policies' -body $body -Type POST -tenantid $tenantfilter -asApp $true
-            $JSONObj.GrantControls.authenticationStrength = @{ id = $ExistingStrength.id }
-            Write-LogMessage -Headers $User -API $APINAME -message "Created new Authentication Strength Policy: $($JSONObj.GrantControls.authenticationStrength.displayName)" -Sev 'Info'
+            $JSONobj.GrantControls.authenticationStrength = @{ id = $ExistingStrength.id }
+            Write-LogMessage -Headers $User -API $APINAME -message "Created new Authentication Strength Policy: $($JSONobj.GrantControls.authenticationStrength.displayName)" -Sev 'Info'
         }
     }
 
-    #for each of the locations, check if they exist, if not create them. These are in $jsonobj.LocationInfo
-    $LocationLookupTable = foreach ($locations in $jsonobj.LocationInfo) {
+    #for each of the locations, check if they exist, if not create them. These are in $JSONobj.LocationInfo
+    $LocationLookupTable = foreach ($locations in $JSONobj.LocationInfo) {
         if (!$locations) { continue }
         foreach ($location in $locations) {
             if (!$location.displayName) { continue }
@@ -152,20 +152,20 @@ function New-CIPPCAPolicy {
         }
     }
 
-    foreach ($location in $JSONObj.conditions.locations.includeLocations) {
+    foreach ($location in $JSONobj.conditions.locations.includeLocations) {
         Write-Information "Replacing named location - $location"
         $lookup = $LocationLookupTable | Where-Object -Property name -EQ $location
         Write-Information "Found $lookup"
         if (!$lookup) { continue }
-        $index = [array]::IndexOf($JSONObj.conditions.locations.includeLocations, $location)
-        $JSONObj.conditions.locations.includeLocations[$index] = $lookup.id
+        $index = [array]::IndexOf($JSONobj.conditions.locations.includeLocations, $location)
+        $JSONobj.conditions.locations.includeLocations[$index] = $lookup.id
     }
 
-    foreach ($location in $JSONObj.conditions.locations.excludeLocations) {
+    foreach ($location in $JSONobj.conditions.locations.excludeLocations) {
         $lookup = $LocationLookupTable | Where-Object -Property name -EQ $location
         if (!$lookup) { continue }
-        $index = [array]::IndexOf($JSONObj.conditions.locations.excludeLocations, $location)
-        $JSONObj.conditions.locations.excludeLocations[$index] = $lookup.id
+        $index = [array]::IndexOf($JSONobj.conditions.locations.excludeLocations, $location)
+        $JSONobj.conditions.locations.excludeLocations[$index] = $lookup.id
     }
     switch ($ReplacePattern) {
         'none' {
@@ -174,10 +174,10 @@ function New-CIPPCAPolicy {
         }
         'AllUsers' {
             Write-Information 'Replacement pattern for inclusions and exclusions is All users. This policy will now apply to everyone.'
-            if ($JSONObj.conditions.users.includeUsers -ne 'All') { $JSONObj.conditions.users.includeUsers = @('All') }
-            if ($JSONObj.conditions.users.excludeUsers) { $JSONObj.conditions.users.excludeUsers = @() }
-            if ($JSONObj.conditions.users.includeGroups) { $JSONObj.conditions.users.includeGroups = @() }
-            if ($JSONObj.conditions.users.excludeGroups) { $JSONObj.conditions.users.excludeGroups = @() }
+            if ($JSONobj.conditions.users.includeUsers -ne 'All') { $JSONobj.conditions.users.includeUsers = @('All') }
+            if ($JSONobj.conditions.users.excludeUsers) { $JSONobj.conditions.users.excludeUsers = @() }
+            if ($JSONobj.conditions.users.includeGroups) { $JSONobj.conditions.users.includeGroups = @() }
+            if ($JSONobj.conditions.users.excludeGroups) { $JSONobj.conditions.users.excludeGroups = @() }
         }
         'displayName' {
             try {
@@ -186,41 +186,41 @@ function New-CIPPCAPolicy {
                 $groups = New-GraphGETRequest -uri 'https://graph.microsoft.com/beta/groups?$select=id,displayName' -tenantid $TenantFilter -asApp $true
 
                 foreach ($userType in 'includeUsers', 'excludeUsers') {
-                    if ($JSONObj.conditions.users.PSObject.Properties.Name -contains $userType -and $JSONObj.conditions.users.$userType -notin 'All', 'None', 'GuestOrExternalUsers') {
-                        $JSONObj.conditions.users.$userType = @(Replace-UserNameWithId -userNames $JSONObj.conditions.users.$userType)
+                    if ($JSONobj.conditions.users.PSObject.Properties.Name -contains $userType -and $JSONobj.conditions.users.$userType -notin 'All', 'None', 'GuestOrExternalUsers') {
+                        $JSONobj.conditions.users.$userType = @(Replace-UserNameWithId -userNames $JSONobj.conditions.users.$userType)
                     }
                 }
 
                 # Check the included and excluded groups
                 foreach ($groupType in 'includeGroups', 'excludeGroups') {
-                    if ($JSONObj.conditions.users.PSObject.Properties.Name -contains $groupType) {
-                        $JSONObj.conditions.users.$groupType = @(Replace-GroupNameWithId -groupNames $JSONObj.conditions.users.$groupType)
+                    if ($JSONobj.conditions.users.PSObject.Properties.Name -contains $groupType) {
+                        $JSONobj.conditions.users.$groupType = @(Replace-GroupNameWithId -groupNames $JSONobj.conditions.users.$groupType)
                     }
                 }
             } catch {
                 $ErrorMessage = Get-CippException -Exception $_
-                Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to replace displayNames for conditional access rule $($JSONObj.displayName). Error: $($ErrorMessage.NormalizedError)" -sev 'Error' -LogData $ErrorMessage
-                throw "Failed to replace displayNames for conditional access rule $($JSONObj.displayName): $($ErrorMessage.NormalizedError)"
+                Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to replace displayNames for conditional access rule $($JSONobj.displayName). Error: $($ErrorMessage.NormalizedError)" -sev 'Error' -LogData $ErrorMessage
+                throw "Failed to replace displayNames for conditional access rule $($JSONobj.displayName): $($ErrorMessage.NormalizedError)"
             }
         }
     }
-    $JsonObj.PSObject.Properties.Remove('LocationInfo')
-    foreach ($condition in $JSONObj.conditions.users.PSObject.Properties.Name) {
-        $value = $JSONObj.conditions.users.$condition
+    $JSONobj.PSObject.Properties.Remove('LocationInfo')
+    foreach ($condition in $JSONobj.conditions.users.PSObject.Properties.Name) {
+        $value = $JSONobj.conditions.users.$condition
         if ($null -eq $value) {
-            $JSONObj.conditions.users.$condition = @()
+            $JSONobj.conditions.users.$condition = @()
             continue
         }
         if ($value -is [string]) {
             if ([string]::IsNullOrWhiteSpace($value)) {
-                $JSONObj.conditions.users.$condition = @()
+                $JSONobj.conditions.users.$condition = @()
                 continue
             }
         }
         if ($value -is [array]) {
             $nonWhitespaceItems = $value | Where-Object { -not [string]::IsNullOrWhiteSpace($_) }
             if ($nonWhitespaceItems.Count -eq 0) {
-                $JSONObj.conditions.users.$condition = @()
+                $JSONobj.conditions.users.$condition = @()
                 continue
             }
         }
@@ -237,7 +237,7 @@ function New-CIPPCAPolicy {
             Write-Information "Failed to disable security defaults for tenant $($TenantFilter): $($ErrorMessage.NormalizedError)"
         }
     }
-    $RawJSON = ConvertTo-Json -InputObject $JSONObj -Depth 10 -Compress
+    $RawJSON = ConvertTo-Json -InputObject $JSONobj -Depth 10 -Compress
     Write-Information $RawJSON
     try {
         Write-Information 'Checking for existing policies'
@@ -247,27 +247,31 @@ function New-CIPPCAPolicy {
                 throw "Conditional Access Policy with Display Name $($Displayname) Already exists"
                 return $false
             } else {
+                if ($State -eq 'donotchange') {
+                    $JSONobj.state = $CheckExististing.state
+                    $RawJSON = ConvertTo-Json -InputObject $JSONobj -Depth 10 -Compress
+                }
                 Write-Information "overwriting $($CheckExististing.id)"
                 $null = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/identity/conditionalAccess/policies/$($CheckExististing.id)" -tenantid $tenantfilter -type PATCH -body $RawJSON -asApp $true
-                Write-LogMessage -Headers $User -API 'Create CA Policy' -tenant $($Tenant) -message "Updated Conditional Access Policy $($JSONObj.Displayname) to the template standard." -Sev 'Info'
+                Write-LogMessage -Headers $User -API 'Create CA Policy' -tenant $($Tenant) -message "Updated Conditional Access Policy $($JSONobj.Displayname) to the template standard." -Sev 'Info'
                 return "Updated policy $displayname for $tenantfilter"
             }
         } else {
             Write-Information 'Creating new policy'
-            if ($JSONobj.GrantControls.authenticationStrength.policyType -or $JSONObj.$jsonobj.LocationInfo) {
+            if ($JSOObj.GrantControls.authenticationStrength.policyType -or $JSONobj.$JSONobj.LocationInfo) {
                 Start-Sleep 3
             }
             $null = New-GraphPOSTRequest -uri 'https://graph.microsoft.com/beta/identity/conditionalAccess/policies' -tenantid $tenantfilter -type POST -body $RawJSON -asApp $true
-            Write-LogMessage -Headers $User -API 'Create CA Policy' -tenant $($Tenant) -message "Added Conditional Access Policy $($JSONObj.Displayname)" -Sev 'Info'
+            Write-LogMessage -Headers $User -API 'Create CA Policy' -tenant $($Tenant) -message "Added Conditional Access Policy $($JSONobj.Displayname)" -Sev 'Info'
             return "Created policy $displayname for $tenantfilter"
         }
     } catch {
         $ErrorMessage = Get-CippException -Exception $_
-        Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to create or update conditional access rule $($JSONObj.displayName): $($ErrorMessage.NormalizedError) " -sev 'Error' -LogData $ErrorMessage
+        Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to create or update conditional access rule $($JSONobj.displayName): $($ErrorMessage.NormalizedError) " -sev 'Error' -LogData $ErrorMessage
 
-        Write-Warning "Failed to create or update conditional access rule $($JSONObj.displayName): $($ErrorMessage.NormalizedError)"
+        Write-Warning "Failed to create or update conditional access rule $($JSONobj.displayName): $($ErrorMessage.NormalizedError)"
         Write-Information $_.InvocationInfo.PositionMessage
-        Write-Information ($JSONObj | ConvertTo-Json -Depth 10)
-        throw "Failed to create or update conditional access rule $($JSONObj.displayName): $($ErrorMessage.NormalizedError)"
+        Write-Information ($JSONobj | ConvertTo-Json -Depth 10)
+        throw "Failed to create or update conditional access rule $($JSONobj.displayName): $($ErrorMessage.NormalizedError)"
     }
 }
