Unmatching schema New-MgIdentityConditionalAccessPolicy - ConditionalAccessPolicy type

[ChristofferLB]

Describe the bug

I'm using Get-MgIdentityConditionalAccessPolicy -ConditionalAccessPolicyId $conditionalAccessPolicyId to get a Conditional Access Policy (I've tried the HTTP alternative too). When I'm trying to use the JSON to create a new policy I get the following error message:

New-MgIdentityConditionalAccessPolicy_Create: 1007: Incoming ConditionalAccessPolicy object is null or does not match the schema of ConditionalAccessPolicy type. For examples, please see API documentation at https://docs.microsoft.com/en-us/graph/api/conditionalaccessroot-post-policies?view=graph-rest-1.0.

It looks like it's related to when an Authentication Strength policy is used, both a built-in and custom, since it works when trying with other policies including with "Require multifactor authentication" configured. That generates the below error, so it matches the schema.

New-MgIdentityConditionalAccessPolicy_Create: 1001: 'id' is a readonly field and cannot be updated. For examples, please see API documentation at https://docs.microsoft.com/en-us/graph/api/conditionalaccessroot-post-policies?view=graph-rest-1.0.

I know the JSON contains objects (such as id above) that shouldn't be there when creating a new policy, but I get the same error when removing those too.

Expected behavior

I'm expecting to be able to create a new Conditional Access policy based on the JSON I get as a response when using Get-MgIdentityConditionalAccessPolicy -ConditionalAccessPolicyId $conditionalAccessPolicyId

How to reproduce

$conditionalAccessPolicyId = (one using MFA Authentication Strenght)

$Policy = Get-MgIdentityConditionalAccessPolicy -ConditionalAccessPolicyId $conditionalAccessPolicyId

$json = @{
"conditions" = @{
"applications" = @{
"includeApplications" = @("All")
}
"clientAppTypes" = @("all")
}
"users" = @{
"excludeUsers" = @(
"f51aeea6-6eb4-48e8-90ae-502c4dcea45b",
"d1b8568f-1847-4772-b5bf-088636c7f96b",
"3c114ee3-f61d-4450-8f63-9370ad01d538"
)
"includeUsers" = @("All")
}
"createdDateTime" = "2024-01-15T08:23:31.3464793Z"
"displayName" = "MFA for all users"
"grantControls" = @{
"authenticationStrength" = @{
"allowedCombinations" = @(
"windowsHelloForBusiness",
"fido2",
"x509CertificateMultiFactor",
"deviceBasedPush",
"temporaryAccessPassOneTime",
"temporaryAccessPassMultiUse",
"password,microsoftAuthenticatorPush",
"password,softwareOath",
"password,hardwareOath",
"password,sms",
"password,voice",
"federatedMultiFactor",
"microsoftAuthenticatorPush,federatedSingleFactor",
"softwareOath,federatedSingleFactor",
"hardwareOath,federatedSingleFactor",
"sms,federatedSingleFactor",
"voice,federatedSingleFactor"
)
"createdDateTime" = "2021-12-01T08:00:00Z"
"description" = "Combinations of methods that satisfy strong authentication, such as a password + SMS"
"displayName" = "Multifactor authentication"
"id" = "00000000-0000-0000-0000-000000000002"
"modifiedDateTime" = "2021-12-01T08:00:00Z"
"policyType" = "builtIn"
"requirementsSatisfied" = "mfa"
}
"operator" = "OR"
}
}

New-MgIdentityConditionalAccessPolicy -BodyParameter $params

WORKING JSON (with MFA but not Authentication Strength)

$params = @{
"displayName" = "MFA for all users"
"conditions" = @{
"users" = @{
"includeUsers" = @("b04ca2b9-a0ed-470a-abae-1fcdd9068eae")
"excludeUsers" = @("e4f2b8a1-ee63-43cc-bc8a-d865ad9a29f6", "f51aeea6-6eb4-48e8-90ae-502c4dcea45b")
}
"applications" = @{
"includeApplications" = @("All")
}
"clientAppTypes" = @("all")
}
"state" = "disabled"
"@odata.context" = "https://graph.microsoft.com/v1.0/$metadata#identity/conditionalAccess/policies/$entity"
"grantControls" = @{
"builtInControls" = @("mfa")
"operator" = "OR"
}
}

SDK Version

2.25.0

Latest version known to work for scenario above?

No response

Known Workarounds

No response

Debug output

Click to expand log

```

DEBUG: [CmdletBeginProcessing]: - New-MgIdentityConditionalAccessPolicy begin processing with parameterSet 'Create'.
DEBUG: [Authentication]: - AuthType: 'AppOnly', TokenCredentialType: 'ClientCertificate', ContextScope: 'Process', AppName: 'automation'.
DEBUG: [Authentication]: - Scopes: [Policy.Read.ConditionalAccess, Teamwork.Migrate.All, PrivilegedEligibilitySchedule.ReadWrite.AzureADGroup, Policy.ReadWrite.ConditionalAccess, RoleManagementPolicy.Read.AzureADGroup, PrivilegedAssignmentSchedule.ReadWrite.AzureADGroup, User.ReadWrite.All, RoleManagementPolicy.ReadWrite.AzureADGroup, Directory.ReadWrite.All, Group.ReadWrite.All, EntitlementManagement.ReadWrite.All, RoleManagement.ReadWrite.Directory, AuditLog.Read.All, Policy.Read.All].

Confirm
Are you sure you want to perform this action?
Performing the operation "New-MgIdentityConditionalAccessPolicy_Create" on target "Call remote 'POST /identity/conditionalAccess/policies' operation".
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): A
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
POST

Absolute Uri:
https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies

Headers:
FeatureFlag : 00000043
Cache-Control : no-store, no-cache
User-Agent : Mozilla/5.0,(Windows NT 10.0; Microsoft Windows 10.0.22631; en-SE),PowerShell/7.5.0
Accept-Encoding : gzip
SdkVersion : graph-powershell/2.25.0
client-request-id : 6497d481-9dc7-4111-a3f0-b199e6475299

Body:
{
"users": {
"excludeUsers": [
"f51aeea6-6eb4-48e8-90ae-502c4dcea45b",
"d1b8568f-1847-4772-b5bf-088636c7f96b",
"3c114ee3-f61d-4450-8f63-9370ad01d538"
],
"includeUsers": [
"All"
]
},
"createdDateTime": "2024-01-15T08:23:31.3464793Z",
"displayName": "MFA for all users",
"conditions": {
"clientAppTypes": [
"all"
],
"applications": {
"includeApplications": [
"All"
]
}
},
"grantControls": {
"operator": "OR",
"authenticationStrength": {
"id": "00000000-0000-0000-0000-000000000002",
"allowedCombinations": [
"windowsHelloForBusiness",
"fido2",
"x509CertificateMultiFactor",
"deviceBasedPush",
"temporaryAccessPassOneTime",
"temporaryAccessPassMultiUse",
"password,microsoftAuthenticatorPush",
"password,softwareOath",
"password,hardwareOath",
"password,sms",
"password,voice",
"federatedMultiFactor",
"microsoftAuthenticatorPush,federatedSingleFactor",
"softwareOath,federatedSingleFactor",
"hardwareOath,federatedSingleFactor",
"sms,federatedSingleFactor",
"voice,federatedSingleFactor"
],
"createdDateTime": "2021-12-01T08:00:00Z",
"description": "Combinations of methods that satisfy strong authentication, such as a password + SMS",
"displayName": "Multifactor authentication",
"modifiedDateTime": "2021-12-01T08:00:00Z",
"policyType": "builtIn",
"requirementsSatisfied": "mfa"
}
}
}

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
BadRequest

Headers:
Cache-Control : no-cache
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : 7565a2ba-0bd3-493a-aa41-a52a66742b40
client-request-id : 6497d481-9dc7-4111-a3f0-b199e6475299
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"Norway East","Slice":"E","Ring":"2","ScaleUnit":"001","RoleInstance":"OSL2EPF00000167"}}
Date : Tue, 28 Jan 2025 15:30:29 GMT

Body:
{
"error": {
"code": "BadRequest",
"message": "1007: Incoming ConditionalAccessPolicy object is null or does not match the schema of ConditionalAccessPolicy type. For examples, please see API documentation at https://docs.microsoft.com/en-us/graph/api/conditionalaccessroot-post-policies?view=graph-rest-1.0.",
"innerError": {
"date": "2025-01-28T15:30:29",
"request-id": "7565a2ba-0bd3-493a-aa41-a52a66742b40",
"client-request-id": "6497d481-9dc7-4111-a3f0-b199e6475299"
}
}
}

New-MgIdentityConditionalAccessPolicy_Create: 1007: Incoming ConditionalAccessPolicy object is null or does not match the schema of ConditionalAccessPolicy type. For examples, please see API documentation at https://docs.microsoft.com/en-us/graph/api/conditionalaccessroot-post-policies?view=graph-rest-1.0.

Status: 400 (BadRequest)
ErrorCode: BadRequest
Date: 2025-01-28T15:30:29

Headers:
Cache-Control : no-cache
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : 7565a2ba-0bd3-493a-aa41-a52a66742b40
client-request-id : 6497d481-9dc7-4111-a3f0-b199e6475299
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"Norway East","Slice":"E","Ring":"2","ScaleUnit":"001","RoleInstance":"OSL2EPF00000167"}}
Date : Tue, 28 Jan 2025 15:30:29 GMT

Recommendation: See service error codes: https://learn.microsoft.com/graph/errors
DEBUG: [CmdletEndProcessing]: - New-MgIdentityConditionalAccessPolicy end processing.

</details>


### Configuration

Name                           Value
----                           -----
PSVersion                      7.5.0
PSEdition                      Core
GitCommitId                    7.5.0
OS                             Microsoft Windows 10.0.22631
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Windows 11 Enterprise 23H2 22631.4751

VSCode 1.96.4

### Other information

_No response_

[timayabi2020]

Hi @ChristofferLB I tried reproducing the issue using the provided steps and also experienced the same. I also tried going through the API documentation and it's not clear why it's complaining about the missing object. Therefore, this seems to be an API issue and unfortunately, we are not best placed to give an answer. Kindly raise an issue here https://developer.microsoft.com/en-us/graph/support so that the API owner can respond to it.