question

RogerSeekell-9360 avatar image
0 Votes"
RogerSeekell-9360 asked saldana-msft edited

MS Graph Not Returning all Conditional Access Policies

Using Graph Explorer and the MG PowerShell, when I List all Conditional Access Policies, I am missing one. It is always the same one (of course, it's the one I most want to manipulate with Graph). Why might it not be returning with the other 12? Should I put in a support ticket with Azure AD?

microsoft-graph-identityazure-ad-conditional-access
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

JamesTran-MSFT avatar image
1 Vote"
JamesTran-MSFT answered RogerSeekell-9360 commented

@RogerSeekell-9360
Thank you for your post! I was able to replicate your issue, and will post my findings along with a workaround below.

Findings:

Using the List policies Graph API - https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies/

  • I got an output of 10 Conditional Access Policies out of 11

  • I didn't find any distinct differences between the 10 CA policies and the 1. I enabled the policy and put it in report-only, but still wasn't able to get it using the List API.
    128393-image.png


Workaround:
In order to work around this issue, I used the Google Chrome and Microsoft Edge (Chromium) Developer Tool F12.

  • In order to get the ID of the CA policy, I went to Conditional Access within the Azure Portal, opened the Developer Tool, and selected the CA policy.
    128349-image.png

  • Once you selected your CA Policy and within your Dev Tool, look for an operation with a Gear Symbol and Policy ID:
    128402-image.png

  • Select the operation and select Preview to copy the Policy ID
    128403-image.png

Using the Get conditionalAccessPolicy API - https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies/{id}

  • You can now get the CA policy that isn't populating with the List API and manipulate it as you see fit.
    128340-image.png



If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.


Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.


image.png (26.2 KiB)
image.png (83.6 KiB)
image.png (5.9 KiB)
image.png (108.8 KiB)
image.png (43.9 KiB)
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you, this answer helped me to move forward. However, the response I got was "The policy you requested contains preview features. Use the Beta endpoint to retrieve this policy."
So I switched to https://graph.microsoft.com/beta/identity/conditionalAccess/policies/<policyid>;, and I can see it. (Next step is to actually manipulate it; we'll see.)
So what beta/preview feature does this CAP have? And how do we bring it to MS's attention to fix it?

0 Votes 0 ·

@RogerSeekell-9360
Thank you for the quick follow up!

When it comes to the preview features available for Conditional Access Policies, it looks like there are currently 3 available - Device State, Filters for devices, and Authentication Context.

129203-image.png



If you're having issues manipulating your CA policy via MS Graph, please let me know.
Thank you for your time and patience throughout this issue.

1 Vote 1 ·
image.png (108.3 KiB)

Thanks! I see that the CAP in question is using the Device State preview feature. Thanks for the tip!

1 Vote 1 ·