Conditional Access policy via microsoft graph cmdlets

Question

I have an issue with setting-up conditional access policy via microsoft.graph cmdlets

    $params = @{
        displayName = "Block Legacy authentication"
        state = "disabled"
        conditions = @{
           applications = @{
                includeApplication = @(
                    "All"
            )
        }
        users = @{
            includeUsers = @(
                "All"
            )
            excludeGroups = @(
                $ExcludeCAGroup.Id
            )
        }
        clientAppTypes = @(
            'exchangeActiveSync', 'other'
        )
    }
    grantControls = @{
        operator = "OR"
        builtInControls = @(
        "block"
        )
    }
}
New-MgIdentityConditionalAccessPolicy -BodyParameter $params

Code showed above throws an following error:

New-MgIdentityConditionalAccessPolicy : 1007: Incoming ConditionalAccessPolicy object is null or does not match the schema of ConditionalAccessPolicy type. For examples, please see API documentation at 
https://docs.microsoft.com/en-us/graph/api/conditionalaccessroot-post-policies?view=graph-rest-1.0.
Status: 400 (BadRequest)
ErrorCode: BadRequest
Date: 2023-10-27T12:12:30
Headers:
Transfer-Encoding             : chunked
Vary                          : Accept-Encoding
Strict-Transport-Security     : max-age=31536000
request-id                    : 956cdf72-b772-4537-8a20-caff949ef3c1
ErrorId : BadRequest,Microsoft.Graph.PowerShell.Cmdlets.NewMgIdentityConditionalAccessPolicy_Create

Do you notice anything that's wrong with my script? From what I've known it should

Answer 1

The error usually occurs if you are not passing $params in correct format. To resolve the error, check the JSON body parameter and ensure that it matches the schema of ConditionalAccessPolicy type.

In my case, I ran below modified script by properly formatting the $params like this:

Import-Module Microsoft.Graph.Identity.SignIns

$ExcludeCAGroup = Get-MgGroup -Filter "DisplayName eq 'SriGroup'"

$params = @{
        displayName = "Block Legacy authentication"
        state = "disabled"
        conditions = @{
            clientAppTypes = @(
            "exchangeActiveSync" 
            "other"
          )
           applications = @{
                includeApplications = @(
                    "All"
                )
             }
           users = @{
                includeUsers = @(
                    "All"
                 )
                excludeGroups = @(
                $ExcludeCAGroup.Id
                )
            }
        }

        grantControls = @{
            operator = "OR"
            builtInControls = @(
                "block"
        )   
    }
}

New-MgIdentityConditionalAccessPolicy -BodyParameter $params

Response:

To confirm that, I checked the same in Portal where conditional access policy created successfully as below: