During Microsoft’s Ignite event in September 2020, the Conditional Access Application Programming Interfaces (APIs) were announced as Generally Available. We’ve covered this change in our recap of Identity-related Announcements from Microsoft Ignite 2020.
Barbara Forbes and I are in the process of creating several solutions for Conditional Access administrators, that rely on the Conditional Access APIs. We’re working on a Windows PowerShell scripts that provide documentation of configured Conditional Access settings, can backup and restore Conditional Access policies and can analyse the Conditional Access policies against Microsoft’s recommended practices.
Alas, the current APIs suffer from quite a serious bug: When Conditional Access policies are configured with conditions that are in Public Preview, the Conditional Access policies are not returned. Neither is an error.
You are an admin for an organization with an Azure AD tenant, equipped with Azure AD Premium subscription licenses. You are assigned with one or more of the following privileged roles:
- Global Administrator
- Conditional Access Administrator
- Security Administrator
- Security Reader
The organization has configured one or more Conditional Access policies.
One or more policies are configured with conditions that are labeled Preview in the Azure AD admin experience. The conditions that are currently in preview are:
- User risk (Preview)
- Device state (Preview)
You perform one or both of the following actions:
- You use the Get-AzureADMSConditionalAccessPolicy Windows PowerShell cmdlet in the latest AzureAD PowerShell module to retrieve all Conditional Access policies.
- You retrieve all Conditional Access policies by referencing the Conditional Access API in your code or using the Graph Explorer.
All Conditional Access policies are retrieved, except for the Conditional Access policies that have conditions configured that are currently labeled Preview.
You do not receive an error.
Despite the latest communication from Microsoft, Conditional Access policies configured with the Report-only state are retrieved without problems.
When you remove the conditions that are currently labeled Preview, the Conditional Access policies are retrieved.
When you use the AzureADPreview Windows PowerShell Module for Azure Active Directory, or when you use the Preview APIs, the Conditional Access policies are retrieved. However, the AzureADPreview Windows PowerShell Module and the AzureAD Windows PowerShell Module cannot coexist on the same Windows or Windows Server installation.
Microsoft supports Preview features, but in the case of the Conditional Access APIs, this apparently does not include programmatic access… something the APIs are specifically there for.
I feel the way the Conditional Access APIs filter out policies with Preview conditions is a very unreliable way of handling preview features.
I hope something can be done to remediate the situation, as the API functionality is currently unusable for the scenarios Barbara and I have in mind.