CODEWITHSUNDEEP
azurepowershelloffice365
adriancmilian
adriancmilian

Reputation: 21

Microsoft 365 Can't add multiple groups to CA policies through PowerShell Function

Hi first time posting here, I'm trying to create some modules for my company for easier Microsoft 365 Management and automating tenant creation. I've run into a bit of an issue when trying to create a new conditional access policy with multiple groups assigned to it. Here is my code:

function New-MFACAPolicy {
    param (
        [Parameter(Mandatory=$true, Position = 0)]
        [string[]]$Groups,

        [Parameter(Mandatory=$true)]
        [ValidateSet('enabled', 'enabledForReportingButNotEnforced', 'disabled')]
        [string]$State,

        [Parameter(Mandatory=$false)]
        [string]$ExcludedGroups
    )

    BEGIN{
        Test-AzureADConnection -ErrorAction SilentlyContinue

        #Create Empty Array
        $IncludedGroups = @()
        $ExclGroups = @()
        #Loop through Groups listed and add to array of Object ID's for each group
        foreach ($Group in $Groups) {

            $IncludedGroup = Get-AzureADMSGroup -SearchString $Group

            $IncludedGroups += $IncludedGroup.id
            
        }#Foreach

        if ($PSBoundParameters.ContainsKey('ExcludedGroups')) {

            foreach ($ExcludedGroup in $ExcludedGroups) {
                
                $ExclGroup = Get-AzureADMSGroup -SearchString $ExcludedGroup

                $ExclGroups += $ExclGroup.id 

            }#Foreach
            
        }#If Excluded Groups parameter is specified

        $InclGroups = $($IncludedGroups -join ', ')

    }#Begin

    Process {

    $Conditions = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessConditionSet
    $Conditions.Applications = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessApplicationCondition
    $Conditions.Applications.IncludeApplications = "All"
    $Conditions.Users = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessUserCondition
    $conditions.Users.IncludeGroups = "$InclGroups"
    $Conditions.ClientAppTypes = @('Browser','MobileAppsAndDesktopClients')
    $Controls = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessGrantControls
    $controls._Operator = "OR"
    $Controls.BuiltInControls = "mfa"

        if ($PSBoundParameters.ContainsKey('ExcludedGroups')) {

            $Conditions.Users.ExcludeGroups = "$ExcludedGroups"
        
        }#If ExlcudedGroups parameter specified 

    New-AzureADMSConditionalAccessPolicy -DisplayName "CA001: Require MFA for all Licensed Users" -State $State -Conditions $Conditions -GrantControls $Controls
    }#Process
}

Not sure why but I can add a single group just fine when running NewMFACAPolicy -Groups "HR" -State enabledForReportingButNotEnforced

but when specifying multiple groups NewMFACAPolicy -Groups "HR", "Marketing" -State enabledForReportingButNotEnforced I receive the following error message:

New-AzureADMSConditionalAccessPolicy : Error occurred while executing NewAzureADMSConditionalAccessPolicy
Code: BadRequest
Message: 1054: Invalid group value: GroupID1, GroupID2. <--- This is usually the ID of the group I redacted it to hide that information
InnerError:
  RequestId: 53f15e3e-53cc-4c10-a537-983b8d6f87a6
  DateTimeStamp: Thu, 28 Oct 2021 14:21:42 GMT
HttpStatusCode: BadRequest
HttpStatusDescription: Bad Request
HttpResponseStatus: Completed
At C:\Users\Redacted\New-CAPolicies.ps1:63 char:5
+     New-AzureADMSConditionalAccessPolicy -DisplayName "CA001: Require ...
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [New-AzureADMSConditionalAccessPolicy], ApiException
    + FullyQualifiedErrorId : Microsoft.Open.MSGraphV10.Client.ApiException,Microsoft.Open.MSGraphV10.PowerShell.NewAz
   ureADMSConditionalAccessPolicy

Not sure why this won't work as I'm just turning an array into a comma separated string... If there is a better way to do this that someone can suggest I'm definitely open to redoing this.

Thank you for the help!

Upvotes: 1

Views: 289

Answers (1)

adriancmilian
adriancmilian

Reputation: 21

Needed to remove the quotes and keep it an array.

Final version:

    function New-MFACAPolicy {
    param (
        [Parameter(Mandatory=$true, Position = 0)]
        [string[]]$Groups,

        [Parameter(Mandatory=$true)]
        [ValidateSet('enabled', 'enabledForReportingButNotEnforced', 'disabled')]
        [string]$State,

        [Parameter(Mandatory=$false)]
        [string]$ExcludedGroups
    )

    BEGIN{
        Test-AzureADConnection -ErrorAction SilentlyContinue

        #Create Empty Array
        $IncludedGroups = @()
        $ExclGroups = @()
        #Loop through Groups listed and add to array of Object ID's for each group
        foreach ($Group in $Groups) {

            $IncludedGroup = Get-AzureADMSGroup -SearchString $Group

            $IncludedGroups += $IncludedGroup.id
            
        }#Foreach

        if ($PSBoundParameters.ContainsKey('ExcludedGroups')) {

            foreach ($ExcludedGroup in $ExcludedGroups) {
                
                $ExclGroup = Get-AzureADMSGroup -SearchString $ExcludedGroup

                $ExclGroups += $ExclGroup.id 

            }#Foreach
            
        }#If Excluded Groups parameter is specified
        
    }#Begin

    Process {

    $Conditions = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessConditionSet
    $Conditions.Applications = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessApplicationCondition
    $Conditions.Applications.IncludeApplications = "All"
    $Conditions.Users = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessUserCondition
    $conditions.Users.IncludeGroups = $IncludedGroups
    $Conditions.ClientAppTypes = @('Browser','MobileAppsAndDesktopClients')
    $Controls = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessGrantControls
    $controls._Operator = "OR"
    $Controls.BuiltInControls = "mfa"

        if ($PSBoundParameters.ContainsKey('ExcludedGroups')) {

            $Conditions.Users.ExcludeGroups = $ExclGroups
        
        }#If ExlcudedGroups parameter specified 

    New-AzureADMSConditionalAccessPolicy -DisplayName "CA001: Require MFA for all Licensed Users" -State $State -Conditions $Conditions -GrantControls $Controls
    }#Process
}#Function

Upvotes: 1

Related Questions