Everything works great until the end of the restore process logic app.

The template id field is causing the following error at the last steps of restore logic app. Though it has a null value, it is giving a 400 error. Attempts to strip the field or change it from null aren't fixing the issue either. I deleted and changed some values below for privacy:

"error": {
"code": "BadRequest",
"message": "1118: TemplateId is a read-only field and cannot be updated.",

RAW INPUTS:
{
"uri": "https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies/erasedforprivacy00000",
"method": "PATCH",
"headers": {
"Content-Type": "application/json"
},
"authentication": {
"tenant": "",
"audience": "https://graph.microsoft.com",
"clientId": "*****",
"secret": "sanitized",
"type": "ActiveDirectoryOAuth"
},
"body": "{"templateId":null,"displayName":"PolicyConditionalAccess1","state":"enabled","sessionControls":null,"conditions":{"userRiskLevels":[],"signInRiskLevels":[],"clientAppTypes":["all"],"servicePrincipalRiskLevels":[],"platforms":null,"locations":null,"devices":null,"clientApplications":null,"applications":{"includeApplications":["All"],"excludeApplications":[],"includeUserActions":[],"includeAuthenticationContextClassReferences":[],"applicationFilter":null},"users":{"includeUsers":["GuestsOrExternalUsers"],"excludeUsers":[],"includeGroups":[],"excludeGroups":[],"includeRoles":[],"excludeRoles":[],"includeGuestsOrExternalUsers":null,"excludeGuestsOrExternalUsers":null}},"grantControls":{"operator":"OR","builtInControls":["mfa"],"customAuthenticationFactors":[],"termsOfUse":[],"[email protected]":"https://graph.microsoft.com/v1.0/$metadata#identity/conditionalAccess/policies('erasedforprivacy00000')/grantControls/authenticationStrength/$entity\",\"authenticationStrength\":null}}{\"displayName\":\"PolicyConditionalAccess1\",\"modifiedDateTime\":\"2022-10-14T21:13:37.0687352Z\",\"state\":\"enabled\",\"sessionControls\":null,\"conditions\":{\"userRiskLevels\":[],\"signInRiskLevels\":[],\"clientAppTypes\":[\"all\"],\"servicePrincipalRiskLevels\":[],\"platforms\":null,\"locations\":null,\"devices\":null,\"clientApplications\":null,\"applications\":{\"includeApplications\":[\"All\"],\"excludeApplications\":[],\"includeUserActions\":[],\"includeAuthenticationContextClassReferences\":[],\"applicationFilter\":null},\"users\":{\"includeUsers\":[\"GuestsOrExternalUsers\"],\"excludeUsers\":[],\"includeGroups\":[],\"excludeGroups\":[],\"includeRoles\":[],\"excludeRoles\":[],\"includeGuestsOrExternalUsers\":null,\"excludeGuestsOrExternalUsers\":null}},\"grantControls\":{\"operator\":\"OR\",\"builtInControls\":[\"mfa\"],\"customAuthenticationFactors\":[],\"termsOfUse\":[],\"[email protected]\":\"https://graph.microsoft.com/v1.0/$metadata#identity/conditionalAccess/policies('erasedforprivacy00000')/grantControls/authenticationStrength/$entity\",\"authenticationStrength\":null}}"
}

This issue is for a: (mark with an x)

- [ ] bug report -> please search issues before submitting
- [ ] feature request
- [x ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)

'preproduction environment' is mentioned in this page:
https://github.com/Azure-Samples/azure-ad-conditional-access-apis/blob/main/02-test/readme.md

Please clarify - does this imply two separate AAD directories, one for prod and one for preprod?

Please provide us with the following information:

This issue is for a: (mark with an x)

- [x ] bug report -> please search issues before submitting
- [ ] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)

Minimal steps to reproduce

I have 11 CA policies in my tenant but the cmdlet Get-AzureADMSConditionalAccessPolicy only returns 10
The missing Ca rule was invalid due the usage of a preview feature, which was removed and now the configuration is not existing anymore. (Empty user action)

Any log messages given by the failure

Expected/desired behavior

I would expect at least an error or an information from the cmdlet.

OS and Version?

Windows 10

Versions

PS C:\ $PSVersionTable

Name Value

PSVersion 5.1.19041.1
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.19041.1
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1

Mention any other details that might be useful

I think it is not happening very often but could help to troubleshoot misconfigured CA policies

---

Thanks! We'll be in touch soon.

This issue is for a: (mark with an x)

- [x] bug report -> please search issues before submitting
- [ ] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)

Minimal steps to reproduce

When running your specific $conditions to create the CA Policy I receive an error. I am authenticated with the global admin on the tenant, the account is also a part of the 'Conditional Access Administrators' role.
Even if I write my own conditions in I have the same error.
The only amendment I had made to your script was the $conditions.users.includegroups for a group Id in the tenant.

Any log messages given by the failure

PS C:\Windows\system32> New-AzureADMSConditionalAccessPolicy -DisplayName "CA0002: Require MFA for medium + sign-in risk" -State "enabledForReportingButNotEnforced" -Conditions $conditions -GrantControls $controls

New-AzureADMSConditionalAccessPolicy : Cannot bind parameter 'Conditions'. Cannot convert the "class ConditionalAccessConditionSet {
Applications: class ConditionalAccessApplicationCondition {
IncludeApplications: System.Collections.Generic.List1[System.String] ExcludeApplications: IncludeUserActions: IncludeProtectionLevels: } Users: class ConditionalAccessUserCondition { IncludeUsers: ExcludeUsers: IncludeGroups: System.Collections.Generic.List1[System.String]
ExcludeGroups:
IncludeRoles:
ExcludeRoles:
}
Platforms:
Locations:
SignInRiskLevels: System.Collections.Generic.List`1[Microsoft.Open.MSGraph.Model.ConditionalAccessRiskLevel]
ClientAppTypes:
}
" value of type "Microsoft.Open.MSGraph.Model.ConditionalAccessConditionSet" to type "Microsoft.Open.MSGraph.Model.ConditionalAccessConditionSet".
At line:1 char:154

• ... e "enabledForReportingButNotEnforced" -Conditions $conditions -GrantC ...

•                                                   ~~~~~~~~~~~
  

  • CategoryInfo : InvalidArgument: (:) [New-AzureADMSConditionalAccessPolicy], ParameterBindingException
  • FullyQualifiedErrorId : CannotConvertArgumentNoMessage,Microsoft.Open.MSGraphBeta.PowerShell.NewAzureADMSConditionalAccessPolicy

Expected/desired behavior

No error

OS and Version?

Versions

Mention any other details that might be useful

If I am being a noob, then I am very sorry! Have looked into Intune and Azure deployment for so long my brain is mush.

Please provide us with the following information:

This issue is for a: (mark with an x)

- [ ] bug report -> please search issues before submitting
- [ ] feature request
- [x] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)

Minimal steps to reproduce

Just to trying to follow up the instruction here.

Any log messages given by the failure

There are many issues not just in the logs due to outdated instructions.

Expected/desired behavior

To get clear and up to date instructions with the new sections in Azure.

OS and Version?

This is Azure platform; OS does not affect platform behavior.

Versions

111.4

Mention any other details that might be useful

Please update the instructions on this guide, there are many sections that don't apply anymore due to the updates to Azure in the last 5 months.

Please provide us with the following information:

This issue is for a: (mark with an x)

- [x ] bug report -> please search issues before submitting
- [ ] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)

Minimal steps to reproduce

Install latest AzureADPreview from nuget (2.0.2.149)
Run the command Get-AzureADMSConditionalAccessPolicy

Any log messages given by the failure

Get-AzureADMSConditionalAccessPolicy : Error converting value "linux" to type 'Microsoft.Open.MSGraph.Model.ConditionalAccessDevicePlatforms'. Path 'value[29].conditions.platforms.includePlatforms[0]', line 1, position 31005.
At line:1 char:1

• Get-AzureADMSConditionalAccessPolicy

•   + CategoryInfo          : NotSpecified: (:) [Get-AzureADMSConditionalAccessPolicy], ApiException
    + FullyQualifiedErrorId : Microsoft.Open.MSGraphBeta.Client.ApiException,Microsoft.Open.MSGraphBeta.PowerShell.GetAzureADMSConditionalAccessPolicy
  
  

Expected/desired behavior

OS and Version?

Windows 7, 8 or 10. Linux (which distribution). macOS (Yosemite? El Capitan? Sierra?)
Windows 11

Versions

AzureADPreview from nuget (2.0.2.149)

Mention any other details that might be useful

---

Thanks! We'll be in touch soon.