[Bug]: Can't deploy CA policies with group exclusion #3614
Comments
|
Thank you for reporting a potential bug. If you would like to work on this bug, please comment:
Thank you for helping us maintain the project! |
|
Cant seem to replicate this - Are you using 's in group names? |
|
No, no quotes in the groups: Group in the Template library tenant:
Group Template in CIPP: {
"Displayname": "😊AwesomeGroup",
"Description": "AwesomeGroup",
"groupType": "dynamic",
"MembershipRules": "(user.userPrincipalName -contains \\\"username\\\")",
"allowExternal": null,
"username": "AwesomeGroup",
"GUID": "xxxxxx"
}From the template in CIPP it looks like the "\" used to escape the quotes around the username is escaped with additional slashes. This means that after escaping all the characters in the string, there is still a slash remaining which causes the error. |
|
I was looking at ca templates because of your description, but its groups. Checking this out :) |
|
My bad. We ran into the issue because we had to deploy the groups to be able to deploy CA policies that contain the group. |
|
@TargetCrafter can you try to delete the group template and re-create it? We were unable to reproduce this. |
|
I setup the template library, and here i saw that the group name was surrounded by 6 slashes to escape the quote characters: (user.userPrincipalName -contains \\\\\\\"awesomeuser\\\\\\\")Then i deleted the group, and recreated it via the interface before exporting it again, and there i saw that only 3 slashes were added: (user.userPrincipalName -contains \\\"awesomeuser\\\")So somewhere in CIPP these slashes were added, but recreating the group solved the issue. So the problem is solved, and the cause is clear, but i don't know where or when this happened, as it worked before. |
|
Running into the issue again now, but for a different tenant. The error CIPP shows in the logbook is now as follows: The groups have been deployed to the tenant, and CIPP should match those by display name as far as i know, so i don't get why it tries to find a group called "." when there is no such group in the CA template: {
"id": "*****",
"displayName": "🟢Require MFA for all users",
"createdDateTime": "2024-10-01T16:01:56.90419Z",
"modifiedDateTime": "2024-11-13T08:37:38.5835892Z",
"state": "enabled",
"conditions": {
"userRiskLevels": [],
"signInRiskLevels": [],
"clientAppTypes": [
"all"
],
"platforms": null,
"locations": null,
"times": null,
"deviceStates": null,
"devices": null,
"clientApplications": null,
"applications": {
"includeApplications": [
"All"
],
"excludeApplications": [],
"includeUserActions": [],
"includeAuthenticationContextClassReferences": [],
"applicationFilter": null
},
"users": {
"includeUsers": [
"All"
],
"excludeUsers": [],
"includeGroups": [],
"excludeGroups": [
"📷Teams Meeting rooms",
"🔗On-Prem Sync users"
],
"includeRoles": [],
"excludeRoles": [],
"includeGuestsOrExternalUsers": null,
"excludeGuestsOrExternalUsers": null
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"mfa"
],
"customAuthenticationFactors": [],
"termsOfUse": [],
"[email protected]": "https://graph.microsoft.com/beta/$metadata#conditionalAccess/policies('cfa74063-2e56-4ac9-b1b5-f0cc976110f5')/grantControls/authenticationStrength/$entity",
"authenticationStrength": null
},
"LocationInfo": [
null,
null
]
}So perhaps something's wrong with the group matching? |
Required confirmations before submitting
Issue Description
I can't deploy CA policies via the deployment tool when the CA policy has a group. It looks like the quotes are not correctly escaped when doing this.
Note that this word without a problem via te standards.
Environment Type
Sponsored (paying) user
Front End Version
7.1.3
Back End Version
7.1.3
Relevant Logs / Stack Trace
The text was updated successfully, but these errors were encountered: