[GH-ISSUE #4524] [Bug]: Get-CIPPAlertNoCAConfig.ps1 zero count validation issues #2080

Closed
opened 2026-03-02 13:49:27 +03:00 by kerem · 4 comments
Owner

Originally created by @MWG-Logan on GitHub (Aug 14, 2025).
Original GitHub issue: https://github.com/KelvinTegelaar/CIPP/issues/4524

Originally assigned to: @MWG-Logan on GitHub.

Required confirmations before submitting

  • I can reproduce this issue on the latest released versions of both CIPP and CIPP-API.
  • I have searched existing issues (both open and closed) to avoid duplicates.
  • I am not requesting general support; this is an actual bug report.

Issue Description

Description

Get-CIPPAlertNoCAConfig.ps1 does not currently account for zero-count AAD_PREMIUM subscriptions (which can happen during suspensions), causing false positives in some cases. In layman's terms, the alert suggests a feature is available when it truly is not.

Reproduction

  1. Create a scripted alert: Alert on tenants without a Conditional Access policy, while having Conditional Access licensing available..
  2. Assign it to a tenant with an AAD_PREMIUM granting entry in /subscribedSkus where prepaidUnits.enabled -eq 0.
  3. Watch the alert fire and indicate that the tenant has conditional access available when it does not.

Proposed resolution

Add zero count catches in the function code to indicate that prepaidUnits.enabled -eq 0 does not count as CA granting.

Environment Type

Sponsored (paying) user

Front End Version

v8.3.0

Back End Version

v8.3.0

Relevant Logs / Stack Trace

Sent Webhook alert Alert - {redacted}.com - *All Tenants (AllTenants): Alert on tenants without a Conditional Access policy, while having Conditional Access licensing available. to External webhook

`/subscribedSkus` output for their AAD_PREMIUM granting license:
    "prepaidUnits": {
      "enabled": 0,
      "suspended": 5,
      "warning": 0,
      "lockedOut": 0
    }

For a sanity check, I did confirm that Conditional Access policies were indeed locked out on the tenant in question.
Originally created by @MWG-Logan on GitHub (Aug 14, 2025). Original GitHub issue: https://github.com/KelvinTegelaar/CIPP/issues/4524 Originally assigned to: @MWG-Logan on GitHub. ### Required confirmations before submitting - [x] **I can reproduce this issue on the latest released versions** of both CIPP and CIPP-API. - [x] **I have searched existing issues** (both open and closed) to avoid duplicates. - [x] I am **not** requesting general support; this is an actual bug report. ### Issue Description ## Description Get-CIPPAlertNoCAConfig.ps1 does not currently account for zero-count `AAD_PREMIUM` subscriptions (which can happen during suspensions), causing false positives in some cases. In layman's terms, the alert suggests a feature is available when it truly is not. ## Reproduction 1. Create a scripted alert: `Alert on tenants without a Conditional Access policy, while having Conditional Access licensing available.`. 2. Assign it to a tenant with an `AAD_PREMIUM` granting entry in /subscribedSkus where `prepaidUnits.enabled -eq 0`. 3. Watch the alert fire and indicate that the tenant has conditional access available when it does not. ## Proposed resolution Add zero count catches in the function code to indicate that `prepaidUnits.enabled -eq 0` does not count as CA granting. ### Environment Type Sponsored (paying) user ### Front End Version v8.3.0 ### Back End Version v8.3.0 ### Relevant Logs / Stack Trace ```plaintext Sent Webhook alert Alert - {redacted}.com - *All Tenants (AllTenants): Alert on tenants without a Conditional Access policy, while having Conditional Access licensing available. to External webhook `/subscribedSkus` output for their AAD_PREMIUM granting license: "prepaidUnits": { "enabled": 0, "suspended": 5, "warning": 0, "lockedOut": 0 } For a sanity check, I did confirm that Conditional Access policies were indeed locked out on the tenant in question. ```
Author
Owner

@github-actions[bot] commented on GitHub (Aug 14, 2025):

Thank you for reporting a potential bug. If you would like to work on this bug, please comment:

I would like to work on this please!

Thank you for helping us maintain the project!

<!-- gh-comment-id:3188962579 --> @github-actions[bot] commented on GitHub (Aug 14, 2025): Thank you for reporting a potential bug. If you would like to work on this bug, please comment: > I would like to work on this please! Thank you for helping us maintain the project!
Author
Owner

@MWG-Logan commented on GitHub (Aug 14, 2025):

I would like to work on this please!

<!-- gh-comment-id:3188966730 --> @MWG-Logan commented on GitHub (Aug 14, 2025): I would like to work on this please!
Author
Owner

@github-actions[bot] commented on GitHub (Aug 14, 2025):

Great! I assigned you (@MWGMorningwood) to the issue. Have fun working on it!

<!-- gh-comment-id:3188967193 --> @github-actions[bot] commented on GitHub (Aug 14, 2025): Great! I assigned you (@MWGMorningwood) to the issue. Have fun working on it!
Author
Owner

@MWG-Logan commented on GitHub (Aug 18, 2025):

Merged in dev

<!-- gh-comment-id:3198596051 --> @MWG-Logan commented on GitHub (Aug 18, 2025): Merged in dev
Sign in to join this conversation.
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/CIPP#2080
No description provided.