hashicorp · manicminer · Dec 3, 2021 · Nov 24, 2021 · Nov 24, 2021 · Nov 24, 2021
@@ -167,6 +167,7 @@ The following arguments are supported:
 -> Only Office 365, Exchange Online and Sharepoint Online support application enforced restrictions.
 
 * `cloud_app_security_policy` - (Optional) Enables cloud app security and specifies the cloud app security policy to use. Possible values are: `blockDownloads`, `mcasConfigured`, `monitorOnly` or `unknownFutureValue`.
+* `persistent_browser_mode` - (Optional) Session control to define whether to persist cookies or not. Possible values are: `always` or `never`.
 * `sign_in_frequency` - (Optional) Number of days or hours to enforce sign-in frequency. Required when `sign_in_frequency_period` is specified. Due to an API issue, removing this property forces a new resource to be created.
 * `sign_in_frequency_period` - (Optional) The time period to enforce sign-in frequency. Possible values are: `hours` or `days`. Required when `sign_in_frequency_period` is specified. Due to an API issue, removing this property forces a new resource to be created.
 

@@ -397,6 +397,15 @@ func conditionalAccessPolicyResource() *schema.Resource {
 							}, false),
 						},
 
+						"persistent_browser_mode": {
+							Type:     schema.TypeString,
+							Optional: true,
+							ValidateFunc: validation.StringInSlice([]string{
+								msgraph.PersistentBrowserSessionModeAlways,
+								msgraph.PersistentBrowserSessionModeNever,
+							}, false),
+						},
-						"persistent_browser_mode": {
-							Type:     schema.TypeString,
-							Optional: true,
-							ValidateFunc: validation.StringInSlice([]string{
-								msgraph.PersistentBrowserSessionModeAlways,
-								msgraph.PersistentBrowserSessionModeNever,
-							}, false),
-						},
+						"persistent_browser_cookies_enabled": {
+							Type:     schema.TypeString,
+							Optional: true,
+							ValidateFunc: validation.StringInSlice([]string{
+								msgraph.PersistentBrowserSessionModeAlways,
+								msgraph.PersistentBrowserSessionModeNever,
+							}, false),
+						},
-						"persistent_browser_mode": {
-							Type:     schema.TypeString,
-							Optional: true,
-							ValidateFunc: validation.StringInSlice([]string{
-								msgraph.PersistentBrowserSessionModeAlways,
-								msgraph.PersistentBrowserSessionModeNever,
-							}, false),
-						},
+						"persistent_browser_cookies_enabled": {
+							Type:     schema.TypeString,
+							Optional: true,
+							ValidateFunc: validation.StringInSlice([]string{
+								msgraph.PersistentBrowserSessionModeAlways,
+								msgraph.PersistentBrowserSessionModeNever,
+							}, false),
+						},
+
 						"sign_in_frequency": {
 							Type:         schema.TypeInt,
 							Optional:     true,
@@ -444,8 +453,21 @@ func conditionalAccessPolicyDiffSuppress(k, old, new string, d *schema.ResourceD
 		sessionControlsRaw := d.Get("session_controls").([]interface{})
 		if len(sessionControlsRaw) == 1 {
 			sessionControls := sessionControlsRaw[0].(map[string]interface{})
-			if v, ok := sessionControls["application_enforced_restrictions_enabled"]; ok && !v.(bool) {
-				suppress = true
+			suppress = true
+			if v, ok := sessionControls["application_enforced_restrictions_enabled"]; ok && v.(bool) {
+				suppress = false
+			}
+			if v, ok := sessionControls["cloud_app_security_policy"]; ok && v.(string) != "" {
+				suppress = false
+			}
+			if v, ok := sessionControls["persistent_browser_mode"]; ok && v.(string) != "" {
+				suppress = false
+			}
+			if v, ok := sessionControls["sign_in_frequency"]; ok && v.(int) > 0 {
+				suppress = false
+			}
+			if v, ok := sessionControls["sign_in_frequency_period"]; ok && v.(string) != "" {
+				suppress = false
 			}
 		}
 	}

@@ -167,6 +167,26 @@ func TestAccConditionalAccessPolicy_sessionControls(t *testing.T) {
 			),
 		},
 		data.ImportStep(),
+		{
+			Config: r.sessionControlsUpdate(data),
+			Check: resource.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+				check.That(data.ResourceName).Key("id").Exists(),
+				check.That(data.ResourceName).Key("display_name").HasValue(fmt.Sprintf("acctest-CONPOLICY-%d", data.RandomInteger)),
+				check.That(data.ResourceName).Key("state").HasValue("disabled"),
+			),
+		},
+		data.ImportStep(),
+		{
+			Config: r.sessionControls(data),
+			Check: resource.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+				check.That(data.ResourceName).Key("id").Exists(),
+				check.That(data.ResourceName).Key("display_name").HasValue(fmt.Sprintf("acctest-CONPOLICY-%d", data.RandomInteger)),
+				check.That(data.ResourceName).Key("state").HasValue("disabled"),
+			),
+		},
+		data.ImportStep(),
 		{
 			Config: r.basic(data),
 			Check: resource.ComposeTestCheckFunc(
@@ -433,13 +453,57 @@ resource "azuread_conditional_access_policy" "test" {
   session_controls {
     application_enforced_restrictions_enabled = true
     cloud_app_security_policy                 = "monitorOnly"
+    persistent_browser_mode                   = "never"
     sign_in_frequency                         = 10
     sign_in_frequency_period                  = "hours"
   }
 }
 `, data.RandomInteger)
 }
 
+func (ConditionalAccessPolicyResource) sessionControlsUpdate(data acceptance.TestData) string {
+	return fmt.Sprintf(`
+resource "azuread_conditional_access_policy" "test" {
+  display_name = "acctest-CONPOLICY-%[1]d"
+  state        = "disabled"
+
+  conditions {
+    client_app_types = ["browser"]
+
+    applications {
+      included_applications = ["All"]
+    }
+
+    locations {
+      included_locations = ["All"]
+    }
+
+    platforms {
+      included_platforms = ["all"]
+    }
+
+    users {
+      included_users = ["All"]
+      excluded_users = ["GuestsOrExternalUsers"]
+    }
+  }
+
+  grant_controls {
+    operator          = "OR"
+    built_in_controls = ["block"]
+  }
+
+  session_controls {
+    application_enforced_restrictions_enabled = true
+    cloud_app_security_policy                 = "blockDownloads"
+    persistent_browser_mode                   = "always"
+    sign_in_frequency                         = 2
+    sign_in_frequency_period                  = "days"
+  }
+}
+`, data.RandomInteger)
+}
+
 func (ConditionalAccessPolicyResource) sessionControlsDisabled(data acceptance.TestData) string {
 	return fmt.Sprintf(`
 resource "azuread_conditional_access_policy" "test" {

@@ -132,10 +132,16 @@ func flattenConditionalAccessSessionControls(in *msgraph.ConditionalAccessSessio
 		signInFrequencyPeriod = *in.SignInFrequency.Type
 	}
 
+	persistentBrowserMode := ""
+	if in.PersistentBrowser != nil && in.PersistentBrowser.Mode != nil {
+		persistentBrowserMode = *in.PersistentBrowser.Mode
+	}
+
 	return []interface{}{
 		map[string]interface{}{
 			"application_enforced_restrictions_enabled": applicationEnforceRestrictions,
 			"cloud_app_security_policy":                 cloudAppSecurity,
+			"persistent_browser_mode":                   persistentBrowserMode,
 			"sign_in_frequency":                         signInFrequency,
 			"sign_in_frequency_period":                  signInFrequencyPeriod,
 		},
@@ -374,6 +380,13 @@ func expandConditionalAccessSessionControls(in []interface{}) *msgraph.Condition
 		}
 	}
 
+	if persistentBrowserMode := config["persistent_browser_mode"].(string); persistentBrowserMode != "" {
+		result.PersistentBrowser = &msgraph.PersistentBrowserSessionControl{
+			IsEnabled: utils.Bool(true),
+			Mode:      utils.String(persistentBrowserMode),
+		}
+	}
+
 	if signInFrequency := config["sign_in_frequency"].(int); signInFrequency > 0 {
 		result.SignInFrequency = &msgraph.SignInFrequencySessionControl{
 			IsEnabled: utils.Bool(true),