azuread_conditional_access_policy set built_in_controls to optional

[alexwilcox9]

During some recent work I noticed you could not create a CA policy in terraform that only has a terms of use set and no other controls.

This is possible through the portal, the below policy is valid and with this modification applies successfully.

resource "azuread_conditional_access_policy" "tou" {
  display_name = "Require All Users agree to terms"
  state        = "disabled"

  conditions {
    client_app_types = ["all"]

    applications {
      included_applications = ["All"]
    }

    users {
      included_users = ["All"]
    }

    locations {
      included_locations = ["All"]
    }
  }

  grant_controls {
    operator                      = "OR"
    terms_of_use                  = ["<<TOU-GUID>>"]
  }
}

Creating a policy with neither field is not possible (at least not until authentication strengths are supported) so I have set it to at least one of built_in_controls or terms_of_use

[manicminer]

Thanks for this @alexwilcox9, LGTM 👍

[github-actions]

This functionality has been released in v2.42.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!