Bug in Get-AzureMSConditionalAccessPolicy cmdlet?

Recently, I found an excellent blogpost on how to back up AzureAD Conditional Access policies (link) using the new AzureAD PowerShell module and decided to create my own when I encountered a little bug…

Instead of using ToJson() method use ConvertTo-Json cmdlet on the objects returned by Get-AzureMSConditionalAccessPolicy.

I was trying to create my own version of a restore script when I encountered the following error:

Cannot convert value "@{operator=OR; builtInControls=System.Object[]; customAuthenticationFactors=System.Object[]; termsOfUse=System.Object[]}" to type "Microsoft.Open.MSGraph.Model.ConditionalAccessGrantControls". Error: "Cannot convert the "@{operator=OR; builtInControls=System.Object[]; customAuthenticationFactors=System.Object[]; termsOfUse
=System.Object[]}" value of type "System.Management.Automation.PSCustomObject" to type "Microsoft.Open.MSGraph.Model.ConditionalAccessGrantControls"."
At line:2 char:1
+ [Microsoft.Open.MSGraph.Model.ConditionalAccessGrantControls]$GrantCo ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : MetadataError: (:) [], ArgumentTransformationMetadataException
    + FullyQualifiedErrorId : RuntimeException

The main difference between my script and Barbara’s is that I used the ToJson() method on the returned Microsoft.Open.MSGraph.Model.ConditionalAccessPolicy type objects:

$CAs = Get-AzureADMSConditionalAccessPolicy
foreach ($CA in $CAs){$CA.ToJson()}

This way, the JSON output has no underscore prefix in “operator” compared to the output generated by ConvertTo-Json (“_Operator”):

Output when using ToJson() method:

Same object when using ConvertTo-Json:

Leave a Reply