Share via

New-MgIdentityConditionalAccessPolicy : 1007: Incoming ConditionalAccessPolicy object is null or does not match the schema of ConditionalAccessPolicy type

Alexander Conn 5 Reputation points
2025-12-09T03:32:48.2366667+00:00

I'm trying to use New-MgIdentityConditionalAccessPolicy to create a conditional access policy. But get the error: New-MgIdentityConditionalAccessPolicy : 1007: Incoming ConditionalAccessPolicy object is null or does not match the schema of ConditionalAccessPolicy type.

I can't figure out what is wrong with my -BodyParamer. Here's part of the debug output:

HTTP Method:

POST

Absolute Uri:

https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies

Headers:

FeatureFlag                   : 00000043

Cache-Control                 : no-store, no-cache

User-Agent                    : Mozilla/5.0,(Windows NT 10.0; Microsoft Windows 10.0.17763; en-US),PowerShell/5.1.17763.7009

Accept-Encoding               : gzip

SdkVersion                    : graph-powershell/2.8.0

client-request-id             : 959a7ccf-d467-475c-87ef-4cfb4b74e663

Body:

{

  "displayName": "International Roaming",

  "state": "disabled",

  "conditions": {

    "grantControls": {

      "builtInControls": [

        "Block"

      ],

      "operator": "OR"

    },

    "clientAppTypes": [

      "ExchangeActiveSync",

      "Browser",

      "MobileAppsAndDesktopClients",

      "Other"

    ],

    "applications": {

      "includeApplications": [

        "All"

      ]

    },

    "locations": {

      "excludeLocations": [

        "15cf0a01-b127-4acc-a3b4-0b737e83b171"

      ],

      "includeLocations": [

        "All"

      ]

    },

    "users": {

      "excludeGroups": [

        "d4ee09af-97c9-4630-b35b-e58a4cdf7059",

        "a6fa1a5c-c5ed-4cce-925e-73a966ff68da"

      ],

      "includeUsers": [

        "All"

      ]

    }

  }

}
Microsoft Security | Microsoft Graph

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alexander Conn 5 Reputation points
    2025-12-10T04:11:30.33+00:00

    I've ended up solving this problem myself using the Microsoft.Entra Powershell module instead. Which suggests there's either a problem with the graph powershell module or its documentation.

    The below worked fine using Microsoft.Entra.Signins module:

    #Create policy
Import-Module Microsoft.Entra.Signins
$conditions = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessConditionSet
$conditions.Applications = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessApplicationCondition
$conditions.Applications.IncludeApplications = "All"
$conditions.Users = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessUserCondition
$conditions.Users.IncludeUsers = "All"
$conditions.Users.ExcludeGroups = @($GuestGroup.Id,$RoamingGroup.Id)
$conditions.Locations = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessLocationCondition
$conditions.Locations.IncludeLocations = "All"
$conditions.Locations.ExcludeLocations = $AusLocation.Id
$conditions.ClientAppTypes = @("ExchangeActiveSync","Browser","MobileAppsAndDesktopClients","Other")
$controls = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessGrantControls
$controls._Operator = "OR"
$controls.BuiltInControls = "Block"

New-EntraConditionalAccessPolicy -DisplayName "International Roaming" -State "enabled" -Conditions $conditions -GrantControls $controls
    1 person found this answer helpful.
    0 comments
  2. Q&A Assist
    2025-12-09T03:34:00.74+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    The error message you're encountering, New-MgIdentityConditionalAccessPolicy : 1007: Incoming ConditionalAccessPolicy object is null or does not match the schema of ConditionalAccessPolicy type, indicates that the JSON body you are sending does not conform to the expected schema for a Conditional Access Policy.

    Here are a few things you can check and adjust in your JSON body:

    1. Grant Controls: Ensure that the grantControls section is structured correctly. The builtInControls should be an array of valid values. For example, ensure that "Block" is a valid built-in control in your context.
    2. Conditions Structure: The conditions object should include all required fields. Make sure that the grantControls, clientAppTypes, applications, locations, and users sections are all correctly formatted and contain valid values.
    3. Application Types: Verify that the clientAppTypes values you are using are valid. The expected values are typically predefined, such as all, browser, mobileAppsAndDesktopClients, etc.
    4. User and Group IDs: Check that the IDs you are using in excludeGroups and includeUsers are valid and exist in your directory.
    5. State Value: Ensure that the state value is acceptable. It should typically be either "enabled" or "disabled".
    6. Debugging: You can also try simplifying your JSON body by removing optional fields or using only required fields to see if the error persists. This can help isolate which part of the body is causing the issue.

    Here’s a simplified example of what a valid body might look like:

    {
  "displayName": "International Roaming",
  "state": "disabled",
  "conditions": {
    "grantControls": {
      "builtInControls": ["block"],
      "operator": "OR"
    },
    "clientAppTypes": ["all"],
    "applications": {
      "includeApplications": ["All"]
    },
    "locations": {
      "excludeLocations": ["15cf0a01-b127-4acc-a3b4-0b737e83b171"],
      "includeLocations": ["All"]
    },
    "users": {
      "excludeGroups": ["d4ee09af-97c9-4630-b35b-e58a4cdf7059"],
      "includeUsers": ["All"]
    }
  }
}

    Make sure to adjust your body according to the schema requirements and validate each part of the JSON structure against the expected schema for Conditional Access Policies.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.