[GH-ISSUE #4194] [Bug]: CA Template with Named locations errors on deployment #1897

Closed
opened 2026-03-02 13:47:59 +03:00 by kerem · 2 comments
Owner

Originally created by @sfaxluke on GitHub (Jun 2, 2025).
Original GitHub issue: https://github.com/KelvinTegelaar/CIPP/issues/4194

Required confirmations before submitting

  • I can reproduce this issue on the latest released versions of both CIPP and CIPP-API.
  • I have searched existing issues (both open and closed) to avoid duplicates.
  • I am not requesting general support; this is an actual bug report.

Issue Description

I created a Conditional Access Policy on the client's tenant with a named location set.
Then, on CIPP, I created it as a CA template.
When deploying it via standards, it initially fails to deploy the CAP but deploys the named locations list then on the next run of standards, it deploys the CAP.

Ideally, it would deploy both together and based on the error in the logbook it is only deploying one part due to the CA template exporting the ID. However on the second run it seems to be happy?

Created new Named Location: MSP Blocked Countries

Failed to create or update conditional access rule MSP Blocked Countires: 1040: NamedLocation with id 1df231c7-9930-485f-a00a-ba4bc47a8901 does not exist in the directory.

Failed to create or update conditional access rule . Error: Failed to create or update conditional access rule MSP Blocked Countires: 1040: NamedLocation with id 1df231c7-9930-485f-a00a-ba4bc47a8901 does not exist in the directory.

Environment Type

Sponsored (paying) user

Front End Version

v8.0.1

Back End Version

v8.0.1

Relevant Logs / Stack Trace

{
  "tenantFilter": "client.uk",
  "id": "fa564636-fef8-4f5e-9881-ea5520390d1a",
  "displayName": "MSP Blocked Countires",
  "createdDateTime": "2025-05-30T15:10:15.1714955Z",
  "modifiedDateTime": "2025-05-30T15:11:21.1560731Z",
  "state": "enabledForReportingButNotEnforced",
  "conditions": {
    "userRiskLevels": [],
    "signInRiskLevels": [],
    "clientAppTypes": [
      "all"
    ],
    "platforms": null,
    "times": null,
    "deviceStates": null,
    "devices": null,
    "clientApplications": null,
    "applications": {
      "includeApplications": [
        "None"
      ],
      "excludeApplications": [],
      "includeUserActions": [],
      "includeAuthenticationContextClassReferences": [],
      "applicationFilter": null
    },
    "users": {
      "includeUsers": [
        "All"
      ],
      "excludeUsers": [],
      "includeGroups": [],
      "excludeGroups": [],
      "includeRoles": [],
      "excludeRoles": [],
      "includeGuestsOrExternalUsers": null,
      "excludeGuestsOrExternalUsers": {
        "guestOrExternalUserTypes": "serviceProvider",
        "externalTenants": {
          "@odata.type": "#microsoft.graph.conditionalAccessEnumeratedExternalTenants",
          "membershipKind": "enumerated",
          "members": [
            "03e91e42-035a-4404-99f6-1086bf8482e8"
          ]
        }
      }
    },
    "locations": {
      "includeLocations": [
        "MSP Blocked Countries"
      ],
      "excludeLocations": []
    }
  },
  "grantControls": {
    "operator": "OR",
    "builtInControls": [
      "block"
    ],
    "customAuthenticationFactors": [],
    "termsOfUse": [],
    "authenticationStrength@odata.context": "https://graph.microsoft.com/beta/$metadata#identity/conditionalAccess/policies('fa564636-fef8-4f5e-9881-ea5520390d1a')/grantControls/authenticationStrength/$entity",
    "authenticationStrength": null
  },
  "LocationInfo": [
    {
      "@odata.type": "#microsoft.graph.countryNamedLocation",
      "displayName": "MSP Blocked Countries",
      "countriesAndRegions": [
        "AF",
        "AX",
        "AL",
        "DZ",
        "AS",
        "AD",
        "AO",
        "AI",
        "AQ",
        "AG",
        "AR",
        "AM",
        "AW",
        "AU",
        "AT",
        "AZ",
        "BS",
        "BH",
        "BD",
        "BB",
        "BY",
        "BE",
        "BZ",
        "BJ",
        "BM",
        "BT",
        "BO",
        "BQ",
        "BA",
        "BW",
        "BV",
        "BR",
        "IO",
        "BN",
        "BG",
        "BF",
        "BI",
        "CV",
        "KH",
        "CM",
        "CA",
        "KY",
        "CF",
        "TD",
        "CL",
        "CN",
        "CX",
        "CC",
        "CO",
        "KM",
        "CK",
        "CR",
        "CI",
        "HR",
        "CU",
        "CW",
        "CY",
        "CZ",
        "CD",
        "DK",
        "DJ",
        "DM",
        "DO",
        "EC",
        "EG",
        "SV",
        "GQ",
        "ER",
        "EE",
        "SZ",
        "ET",
        "FK",
        "FO",
        "FJ",
        "FI",
        "FR",
        "GF",
        "PF",
        "TF",
        "GA",
        "GM",
        "GE",
        "DE",
        "GH",
        "GI",
        "GR",
        "GL",
        "GD",
        "GP",
        "GU",
        "GT",
        "GG",
        "GN",
        "GW",
        "GY",
        "HT",
        "HM",
        "VA",
        "HN",
        "HK",
        "HU",
        "IS",
        "IN",
        "ID",
        "IR",
        "IQ",
        "IE",
        "IM",
        "IL",
        "IT",
        "JM",
        "JP",
        "JE",
        "JO",
        "KZ",
        "KE",
        "KI",
        "KR",
        "XK",
        "KW",
        "KG",
        "LA",
        "LV",
        "LB",
        "LS",
        "LR",
        "LY",
        "LI",
        "LT",
        "LU",
        "MO",
        "MG",
        "MW",
        "MY",
        "MV",
        "ML",
        "MT",
        "MH",
        "MQ",
        "MR",
        "MU",
        "YT",
        "MX",
        "FM",
        "MD",
        "MC",
        "MN",
        "ME",
        "MS",
        "MA",
        "MZ",
        "MM",
        "NA",
        "NR",
        "NP",
        "NL",
        "NC",
        "NZ",
        "NI",
        "NE",
        "NG",
        "NU",
        "NF",
        "KP",
        "MK",
        "MP",
        "NO",
        "OM",
        "PK",
        "PW",
        "PS",
        "PA",
        "PG",
        "PY",
        "PE",
        "PH",
        "PN",
        "PL",
        "PT",
        "PR",
        "QA",
        "CG",
        "RE",
        "RO",
        "RU",
        "RW",
        "BL",
        "SH",
        "KN",
        "LC",
        "MF",
        "PM",
        "VC",
        "WS",
        "SM",
        "ST",
        "SA",
        "SN",
        "RS",
        "SC",
        "SL",
        "SG",
        "SX",
        "SK",
        "SI",
        "SB",
        "SO",
        "ZA",
        "GS",
        "SS",
        "ES",
        "LK",
        "SD",
        "SR",
        "SJ",
        "SE",
        "CH",
        "SY",
        "TW",
        "TJ",
        "TZ",
        "TH",
        "TL",
        "TG",
        "TK",
        "TO",
        "TT",
        "TN",
        "TR",
        "TM",
        "TC",
        "TV",
        "UG",
        "UA",
        "AE",
        "US",
        "UY",
        "UM",
        "UZ",
        "VU",
        "VE",
        "VN",
        "VG",
        "VI",
        "WF",
        "EH",
        "YE",
        "ZM",
        "ZW"
      ],
      "includeUnknownCountriesAndRegions": true,
      "countryLookupMethod": "clientIpAddress"
    },
    null
  ],
  "GUID": "f43e95aa-67c9-4e67-bb39-bf11d54d6cba"
}
Originally created by @sfaxluke on GitHub (Jun 2, 2025). Original GitHub issue: https://github.com/KelvinTegelaar/CIPP/issues/4194 ### Required confirmations before submitting - [x] **I can reproduce this issue on the latest released versions** of both CIPP and CIPP-API. - [x] **I have searched existing issues** (both open and closed) to avoid duplicates. - [x] I am **not** requesting general support; this is an actual bug report. ### Issue Description I created a Conditional Access Policy on the client's tenant with a named location set. Then, on CIPP, I created it as a CA template. When deploying it via standards, it initially fails to deploy the CAP but deploys the named locations list then on the next run of standards, it deploys the CAP. Ideally, it would deploy both together and based on the error in the logbook it is only deploying one part due to the CA template exporting the ID. However on the second run it seems to be happy? `Created new Named Location: MSP Blocked Countries` `Failed to create or update conditional access rule MSP Blocked Countires: 1040: NamedLocation with id 1df231c7-9930-485f-a00a-ba4bc47a8901 does not exist in the directory.` `Failed to create or update conditional access rule . Error: Failed to create or update conditional access rule MSP Blocked Countires: 1040: NamedLocation with id 1df231c7-9930-485f-a00a-ba4bc47a8901 does not exist in the directory.` ### Environment Type Sponsored (paying) user ### Front End Version v8.0.1 ### Back End Version v8.0.1 ### Relevant Logs / Stack Trace ```plaintext { "tenantFilter": "client.uk", "id": "fa564636-fef8-4f5e-9881-ea5520390d1a", "displayName": "MSP Blocked Countires", "createdDateTime": "2025-05-30T15:10:15.1714955Z", "modifiedDateTime": "2025-05-30T15:11:21.1560731Z", "state": "enabledForReportingButNotEnforced", "conditions": { "userRiskLevels": [], "signInRiskLevels": [], "clientAppTypes": [ "all" ], "platforms": null, "times": null, "deviceStates": null, "devices": null, "clientApplications": null, "applications": { "includeApplications": [ "None" ], "excludeApplications": [], "includeUserActions": [], "includeAuthenticationContextClassReferences": [], "applicationFilter": null }, "users": { "includeUsers": [ "All" ], "excludeUsers": [], "includeGroups": [], "excludeGroups": [], "includeRoles": [], "excludeRoles": [], "includeGuestsOrExternalUsers": null, "excludeGuestsOrExternalUsers": { "guestOrExternalUserTypes": "serviceProvider", "externalTenants": { "@odata.type": "#microsoft.graph.conditionalAccessEnumeratedExternalTenants", "membershipKind": "enumerated", "members": [ "03e91e42-035a-4404-99f6-1086bf8482e8" ] } } }, "locations": { "includeLocations": [ "MSP Blocked Countries" ], "excludeLocations": [] } }, "grantControls": { "operator": "OR", "builtInControls": [ "block" ], "customAuthenticationFactors": [], "termsOfUse": [], "authenticationStrength@odata.context": "https://graph.microsoft.com/beta/$metadata#identity/conditionalAccess/policies('fa564636-fef8-4f5e-9881-ea5520390d1a')/grantControls/authenticationStrength/$entity", "authenticationStrength": null }, "LocationInfo": [ { "@odata.type": "#microsoft.graph.countryNamedLocation", "displayName": "MSP Blocked Countries", "countriesAndRegions": [ "AF", "AX", "AL", "DZ", "AS", "AD", "AO", "AI", "AQ", "AG", "AR", "AM", "AW", "AU", "AT", "AZ", "BS", "BH", "BD", "BB", "BY", "BE", "BZ", "BJ", "BM", "BT", "BO", "BQ", "BA", "BW", "BV", "BR", "IO", "BN", "BG", "BF", "BI", "CV", "KH", "CM", "CA", "KY", "CF", "TD", "CL", "CN", "CX", "CC", "CO", "KM", "CK", "CR", "CI", "HR", "CU", "CW", "CY", "CZ", "CD", "DK", "DJ", "DM", "DO", "EC", "EG", "SV", "GQ", "ER", "EE", "SZ", "ET", "FK", "FO", "FJ", "FI", "FR", "GF", "PF", "TF", "GA", "GM", "GE", "DE", "GH", "GI", "GR", "GL", "GD", "GP", "GU", "GT", "GG", "GN", "GW", "GY", "HT", "HM", "VA", "HN", "HK", "HU", "IS", "IN", "ID", "IR", "IQ", "IE", "IM", "IL", "IT", "JM", "JP", "JE", "JO", "KZ", "KE", "KI", "KR", "XK", "KW", "KG", "LA", "LV", "LB", "LS", "LR", "LY", "LI", "LT", "LU", "MO", "MG", "MW", "MY", "MV", "ML", "MT", "MH", "MQ", "MR", "MU", "YT", "MX", "FM", "MD", "MC", "MN", "ME", "MS", "MA", "MZ", "MM", "NA", "NR", "NP", "NL", "NC", "NZ", "NI", "NE", "NG", "NU", "NF", "KP", "MK", "MP", "NO", "OM", "PK", "PW", "PS", "PA", "PG", "PY", "PE", "PH", "PN", "PL", "PT", "PR", "QA", "CG", "RE", "RO", "RU", "RW", "BL", "SH", "KN", "LC", "MF", "PM", "VC", "WS", "SM", "ST", "SA", "SN", "RS", "SC", "SL", "SG", "SX", "SK", "SI", "SB", "SO", "ZA", "GS", "SS", "ES", "LK", "SD", "SR", "SJ", "SE", "CH", "SY", "TW", "TJ", "TZ", "TH", "TL", "TG", "TK", "TO", "TT", "TN", "TR", "TM", "TC", "TV", "UG", "UA", "AE", "US", "UY", "UM", "UZ", "VU", "VE", "VN", "VG", "VI", "WF", "EH", "YE", "ZM", "ZW" ], "includeUnknownCountriesAndRegions": true, "countryLookupMethod": "clientIpAddress" }, null ], "GUID": "f43e95aa-67c9-4e67-bb39-bf11d54d6cba" } ```
Author
Owner

@github-actions[bot] commented on GitHub (Jun 2, 2025):

Thank you for reporting a potential bug. If you would like to work on this bug, please comment:

I would like to work on this please!

Thank you for helping us maintain the project!

<!-- gh-comment-id:2930625686 --> @github-actions[bot] commented on GitHub (Jun 2, 2025): Thank you for reporting a potential bug. If you would like to work on this bug, please comment: > I would like to work on this please! Thank you for helping us maintain the project!
Author
Owner

@KelvinTegelaar commented on GitHub (Jun 14, 2025):

Solved in dev

<!-- gh-comment-id:2972766586 --> @KelvinTegelaar commented on GitHub (Jun 14, 2025): Solved in dev
Sign in to join this conversation.
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/CIPP#1897
No description provided.