[GH-ISSUE #4524] [Bug]: Get-CIPPAlertNoCAConfig.ps1 zero count validation issues #2080

New issue

Closed

opened 2026-03-02 13:49:27 +03:00 by kerem · 4 comments

kerem commented 2026-03-02 13:49:27 +03:00

Owner

Copy link

Originally created by @MWG-Logan on GitHub (Aug 14, 2025).
Original GitHub issue: https://github.com/KelvinTegelaar/CIPP/issues/4524

Originally assigned to: @MWG-Logan on GitHub.

Required confirmations before submitting

• I can reproduce this issue on the latest released versions of both CIPP and CIPP-API.
• I have searched existing issues (both open and closed) to avoid duplicates.
• I am not requesting general support; this is an actual bug report.

Issue Description

Description

Get-CIPPAlertNoCAConfig.ps1 does not currently account for zero-count AAD_PREMIUM subscriptions (which can happen during suspensions), causing false positives in some cases. In layman's terms, the alert suggests a feature is available when it truly is not.

Reproduction

1. Create a scripted alert: Alert on tenants without a Conditional Access policy, while having Conditional Access licensing available..
2. Assign it to a tenant with an AAD_PREMIUM granting entry in /subscribedSkus where prepaidUnits.enabled -eq 0.
3. Watch the alert fire and indicate that the tenant has conditional access available when it does not.

Proposed resolution

Add zero count catches in the function code to indicate that prepaidUnits.enabled -eq 0 does not count as CA granting.

Environment Type

Sponsored (paying) user

Front End Version

v8.3.0

Back End Version

v8.3.0

Relevant Logs / Stack Trace

Sent Webhook alert Alert - {redacted}.com - *All Tenants (AllTenants): Alert on tenants without a Conditional Access policy, while having Conditional Access licensing available. to External webhook

`/subscribedSkus` output for their AAD_PREMIUM granting license:
    "prepaidUnits": {
      "enabled": 0,
      "suspended": 5,
      "warning": 0,
      "lockedOut": 0
    }

For a sanity check, I did confirm that Conditional Access policies were indeed locked out on the tenant in question.

Originally created by @MWG-Logan on GitHub (Aug 14, 2025). Original GitHub issue: https://github.com/KelvinTegelaar/CIPP/issues/4524 Originally assigned to: @MWG-Logan on GitHub. ### Required confirmations before submitting - [x] **I can reproduce this issue on the latest released versions** of both CIPP and CIPP-API. - [x] **I have searched existing issues** (both open and closed) to avoid duplicates. - [x] I am **not** requesting general support; this is an actual bug report. ### Issue Description ## Description Get-CIPPAlertNoCAConfig.ps1 does not currently account for zero-count `AAD_PREMIUM` subscriptions (which can happen during suspensions), causing false positives in some cases. In layman's terms, the alert suggests a feature is available when it truly is not. ## Reproduction 1. Create a scripted alert: `Alert on tenants without a Conditional Access policy, while having Conditional Access licensing available.`. 2. Assign it to a tenant with an `AAD_PREMIUM` granting entry in /subscribedSkus where `prepaidUnits.enabled -eq 0`. 3. Watch the alert fire and indicate that the tenant has conditional access available when it does not. ## Proposed resolution Add zero count catches in the function code to indicate that `prepaidUnits.enabled -eq 0` does not count as CA granting. ### Environment Type Sponsored (paying) user ### Front End Version v8.3.0 ### Back End Version v8.3.0 ### Relevant Logs / Stack Trace ```plaintext Sent Webhook alert Alert - {redacted}.com - *All Tenants (AllTenants): Alert on tenants without a Conditional Access policy, while having Conditional Access licensing available. to External webhook `/subscribedSkus` output for their AAD_PREMIUM granting license: "prepaidUnits": { "enabled": 0, "suspended": 5, "warning": 0, "lockedOut": 0 } For a sanity check, I did confirm that Conditional Access policies were indeed locked out on the tenant in question. ```

kerem 2026-03-02 13:49:27 +03:00

• closed this issue
• added the
  bug
  unconfirmed-by-user
  not-assigned
  labels

kerem commented 2026-03-02 13:49:29 +03:00

Author

Owner

Copy link

@github-actions[bot] commented on GitHub (Aug 14, 2025):

Thank you for reporting a potential bug. If you would like to work on this bug, please comment:

I would like to work on this please!

Thank you for helping us maintain the project!

<!-- gh-comment-id:3188962579 --> @github-actions[bot] commented on GitHub (Aug 14, 2025): Thank you for reporting a potential bug. If you would like to work on this bug, please comment: > I would like to work on this please! Thank you for helping us maintain the project!

kerem commented 2026-03-02 13:49:29 +03:00

Author

Owner

Copy link

@MWG-Logan commented on GitHub (Aug 14, 2025):

I would like to work on this please!

<!-- gh-comment-id:3188966730 --> @MWG-Logan commented on GitHub (Aug 14, 2025): I would like to work on this please!

kerem commented 2026-03-02 13:49:29 +03:00

Author

Owner

Copy link

@github-actions[bot] commented on GitHub (Aug 14, 2025):

Great! I assigned you (@MWGMorningwood) to the issue. Have fun working on it!

<!-- gh-comment-id:3188967193 --> @github-actions[bot] commented on GitHub (Aug 14, 2025): Great! I assigned you (@MWGMorningwood) to the issue. Have fun working on it!

kerem commented 2026-03-02 13:49:29 +03:00

Author

Owner

Copy link

@MWG-Logan commented on GitHub (Aug 18, 2025):

Merged in dev

<!-- gh-comment-id:3198596051 --> @MWG-Logan commented on GitHub (Aug 18, 2025): Merged in dev

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

docs

dev

dependabot/npm_and_yarn/dev/uiw/react-json-view-2.0.0-alpha.42

dependabot/npm_and_yarn/dev/tanstack/react-query-persist-client-5.96.2

dependabot/npm_and_yarn/dev/mui-tiptap-1.30.0

dependabot/npm_and_yarn/dev/tanstack/react-query-devtools-5.96.2

dependabot/npm_and_yarn/dev/recharts-3.8.1

dependabot/github_actions/dev/actions/setup-node-6.4.0

copilot/add-alert-for-report-only-ca

release/beta

release/nightly

docs-maintenance

v10.4.0

v10.3.0

v10.2.0

v10.1.0

v10.0.0

v8.8.0

v8.7.0

v8.6.0

v8.5.0

v8.4.0

v8.3.0

v8.2.0

v8.1.0

v8.0.0

v7.5.0

v7.4.0

v7.3.0

v7.2.0

v7.1.0

v7.0.1

v6.4.0

v6.3.0

v6.2.0

v6.1.0

v6.0.0

v5.9.0

v5.8.5

v5.8.0

v5.7.0

v5.6.0

v5.5.0

v5.4.0

v5.3.0

v5.2.0

v5.1.0

v5.0.0

v4.9.0

v4.8.0

v4.7.0

v.4.6.0

v4.5.0

v4.4.0

v4.3.0

v4.2.0

v4.1.0

v4.0.0

v3.8.0

v3.7.0

v3.6.0

v3.5.0

v3.4.0

v3.3.0

v3.2.0

v3.1.0

v3.0.0

v2.20.0

v2.19.0

v2.18.0

v2.17.0

v2.16.0

v2.15.0

v2.13.0

v2.12.0

v2.11.2

v2.1.11.0

v.2.10.0

v2.9.0

v2.8.0

v2.7.0

v2.6.0

v2.5.5

v2.5.0

v2.4.0

v.2.3.0

v2.2.0

v2.1.2

v2.1.1

v2.1.0

v2.0.1

2.0.0

v1.5.1

v1.5.0

v1.4.3

v1.4.2

v1.4.0

v1.3.0

v1.2.1

v1.2.0

1.1.0

release

Labels

Clear labels   

API

  

Feature

  

NotABug

  

NotABug

  

Planned

  

Sponsor Priority

  

Sponsor Priority

  

bug

  

documentation

  

duplicate

  

enhancement

  

needs more info

  

no-activity

  

no-priority

  

not-assigned

  

pull-request

Mirrored from GitHub Pull Request

  

react-conversion

  

react-conversion

  

roadmap

  

security

  

stale

  

unconfirmed-by-user

  

unconfirmed-by-user

  

wontfix

No labels

API

Feature

NotABug

NotABug

Planned

Sponsor Priority

Sponsor Priority

bug

documentation

duplicate

enhancement

needs more info

no-activity

no-priority

not-assigned

pull-request

react-conversion

react-conversion

roadmap

security

stale

unconfirmed-by-user

unconfirmed-by-user

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/CIPP#2080

No description provided.