Bug in "Update-MgPolicyDefaultAppManagementPolicy"? - restrictionType "customPasswordAddition" and "symmetricKeyAddition" is null even if set?

[michaelmsonne]

Describe the bug

I feel this is so strange - no errors when parseing the content via cmdlet "Update-MgPolicyDefaultAppManagementPolicy" in PowerShell, and as I see it Entra ID Auditlog also shows it right...

And when I looking in docs at https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.identity.signins/update-mgpolicydefaultappmanagementpolicy?view=graph-powershell-1.0 it should work just fine....

Working on a small tool as I shared a teaser here: https://www.linkedin.com/feed/update/urn:li:activity:7337869500135919617/ aka "Entra ID Application Policy Manager" so this type of errors is a bit enoying as it breaks stuff for people there is useing Entra ID Application Management Policies...

Tested here with:
2.28.0 Microsoft.Graph.Applications
2.28.0 Microsoft.Graph.Authentication
2.28.0 Microsoft.Graph.Identity.SignIns

Will test other too soon and update here!

Expected behavior

I exprect the values set, it not returned at "null" if etc. set to P40D or so.

How to reproduce

1. run this to parse it to Graph (will not show any errors):

$params = @{
	isEnabled = $true
	applicationRestrictions = @{
		passwordCredentials = @(
			@{
				restrictionType = "passwordAddition"
				maxLifetime = $null
				restrictForAppsCreatedAfterDateTime = [System.DateTime]::Parse("2021-01-01T10:37:00Z")
			}
			@{
				restrictionType = "passwordLifetime"
				maxLifetime = "P40D"
				restrictForAppsCreatedAfterDateTime = [System.DateTime]::Parse("2017-01-01T10:37:00Z")
			}
			@{
				restrictionType = "symmetricKeyAddition"
				maxLifetime = "P40D"
				restrictForAppsCreatedAfterDateTime = [System.DateTime]::Parse("2021-01-01T10:37:00Z")
			}
			@{
				restrictionType = "customPasswordAddition"
				maxLifetime = "P40D"
				restrictForAppsCreatedAfterDateTime = [System.DateTime]::Parse("2015-01-01T10:37:00Z")
			}
			@{
				restrictionType = "symmetricKeyLifetime"
				maxLifetime = "P40D"
				restrictForAppsCreatedAfterDateTime = [System.DateTime]::Parse("2015-01-01T10:37:00Z")
			}
		)
		keyCredentials = @(
			@{
				restrictionType = "asymmetricKeyLifetime"
				maxLifetime = "P30D"
				restrictForAppsCreatedAfterDateTime = [System.DateTime]::Parse("2015-01-01T10:37:00Z")
			}
		)
	}
}

Update-MgPolicyDefaultAppManagementPolicy -BodyParameter $params

2. Check if the settings is set - both via Entra ID Audit log like here:

and via etc. https://developer.microsoft.com/en-us/graph/graph-explorer with a GET call to "https://graph.microsoft.com/v1.0/policies/defaultAppManagementPolicy" - here you will see this for the above code:

3. Done - the policy is set in Entra ID - but the 2 parts customPasswordAddition and symmetricKeyAddition is not set - the rest are... This is tested for applicationRestrictions for now (will test more)

SDK Version

2.28.0

Latest version known to work for scenario above?

No response

Known Workarounds

No response

Debug output

Click to expand log

``` Update-MgPolicyDefaultAppManagementPolicy -BodyParameter $params -Verbose VERBOSE: Performing the operation "Update-MgPolicyDefaultAppManagementPolicy_Update" on target "Call remote 'PATCH /policies/defaultAppManagementPolicy' operation". ```

Configuration

$PSVersionTable

Name                           Value
----                           -----
PSVersion                      5.1.26100.4061
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.26100.4061
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Windows 11 26100.3983, x64

Other information

This bug is reported back in the channels I have too as a Microsoft MVP and as a member of the CCP Communities..

[michaelmsonne]

Tested via Invoke-MgGraphRequest -Method GET https://graph.microsoft.com/v1.0/policies/defaultAppManagementPolicy -OutputType Json too - and I getting the same output with "null" in it even if I pass content there via PATCH and so:

And that is after I was running:

# Prepare the body as a hashtable (dates as ISO 8601 strings)
$body = @{
    isEnabled = $true
    applicationRestrictions = @{
        passwordCredentials = @(
            @{
                restrictionType = "passwordAddition"
                maxLifetime = $null
                restrictForAppsCreatedAfterDateTime = "2021-01-01T10:37:00Z"
            }
            @{
                restrictionType = "passwordLifetime"
                maxLifetime = "P40D"
                restrictForAppsCreatedAfterDateTime = "2017-01-01T10:37:00Z"
            }
            @{
                restrictionType = "symmetricKeyAddition"
                maxLifetime = "P40D"
                restrictForAppsCreatedAfterDateTime = "2021-01-01T10:37:00Z"
            }
            @{
                restrictionType = "customPasswordAddition"
                maxLifetime = "P40D"
                restrictForAppsCreatedAfterDateTime = "2015-01-01T10:37:00Z"
            }
            @{
                restrictionType = "symmetricKeyLifetime"
                maxLifetime = "P40D"
                restrictForAppsCreatedAfterDateTime = "2015-01-01T10:37:00Z"
            }
        )
        keyCredentials = @(
            @{
                restrictionType = "asymmetricKeyLifetime"
                maxLifetime = "P30D"
                restrictForAppsCreatedAfterDateTime = "2015-01-01T10:37:00Z"
            }
        )
    }
}

# Convert body to JSON
$jsonBody = $body | ConvertTo-Json -Depth 5

# Send PATCH request
Invoke-MgGraphRequest `
    -Method PATCH `
    -Uri "https://graph.microsoft.com/v1.0/policies/defaultAppManagementPolicy" `
    -Body $jsonBody `
    -ContentType "application/json"

So the backend itself is a bit broken as I see it..