Update-MgIdentityConditionalAccessPolicy "1054: Invalid servicePrincipal value: ."

[ztrhgf]

Describe the bug
When I try to remove all existing service principal IDs in selected conditional policy condition by defining IncludeServicePrincipals = '', it ends with an error.

I've tried to use:
IncludeServicePrincipals = $null
IncludeServicePrincipals = @()

but both tries ended with empty body a.k.a. nothing happened.

How am I suppose to select NONE then?

To Reproduce
Steps to reproduce the behavior:
$params = @{
Conditions = @{
ClientApplications = @{
IncludeServicePrincipals = ''
}
}
}

Update-MgIdentityConditionalAccessPolicy -ConditionalAccessPolicyId -Conditions $params.Conditions -debug

Expected behavior
Existing service principals defined in such conditional policy should be remove.

Debug Output

Run the problematic command with -Debug and paste the resulting debug stream below.
⚠ ATTENTION: Be sure to remove any sensitive information that may be in the logs.

Module Version

Please run Get-Module Microsoft.Graph* after cmdlet execution and paste the output below.
If a module cannot be installed or imported, please run Get-Module -ListAvailable and paste the output.

Environment Data

Please run $PSVersionTable and paste the output below. If running the Docker container image, indicate the tag of the image used and the version of Docker engine.

Screenshots

If applicable, add screenshots to help explain your problem.

Additional context

Add any other context about the problem here.

[SeniorConsulting]

I've been looking through some of the API doco, but am still not confident with my answer. The doco (such as this page here: https://learn.microsoft.com/en-us/graph/api/resources/conditionalaccessconditionset?view=graph-rest-1.0), suggests that there are some pre-built terms (such as browser, mobileAppsAndDesktopClients, high, medium, low etc.)

As a thought...have you tried using
includeServicePrincipals = "none"

I haven't gone down enough to look at the API spec to see exactly what it is looking for though.

[ztrhgf]

I've been looking through some of the API doco, but am still not confident with my answer. The doco (such as this page here: https://learn.microsoft.com/en-us/graph/api/resources/conditionalaccessconditionset?view=graph-rest-1.0), suggests that there are some pre-built terms (such as browser, mobileAppsAndDesktopClients, high, medium, low etc.)

As a thought...have you tried using includeServicePrincipals = "none"

I haven't gone down enough to look at the API spec to see exactly what it is looking for though.

Problem is I am trying to set "clientApplications" which has no such option.

[ztrhgf]

Btw I've found how to select "NONE" using the following code

$body = '{
                "conditions": {
                    "clientApplications": null
                }
            }'
 Invoke-MgGraphRequest -Method PATCH -Uri "https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies/$blockCAId" -Body $body

But question is still same, how can I achieve this using native Update-MgIdentityConditionalAccessPolicy command?

[SeniorConsulting]

I'm looking back at the original code you wrote and comparing it to what worked using the Invoke-MgGraphRequest

$params = @{
    Conditions = @{
        ClientApplications = @{
            IncludeServicePrincipals = ''
        }
    }
}

vs

$body = '{
                "conditions": {
                    "clientApplications": null
                }
            }'

I can see that in the one which worked, you've dropped the IncludeServicePrincipals, and are just using "clientApplications". Consequently, were you not able to get this working by doing:

$params = @{
    Conditions = @{
        ClientApplications = "null"
    }
}
Update-MgIdentityConditionalAccessPolicy -ConditionalAccessPolicyId -Conditions $params.Conditions 

[ztrhgf]

I've tried various parameter options but every time the send request body was empty which I believe is the problem. That the function Update-MgIdentityConditionalAccessPolicy thinks there is nothing to change.

[timayabi2020]

To be fixed in the next release.