Merge pull request #55 from maester365/tn-EidscaMinorFixes

EIDSCA bug fixes and support for conditions and discovery

build/EIDSCA/Update-EidscaTests.ps1

@@ -289,19 +289,8 @@ Function GetEidscaPsFunctionName($controlItem) {
 
 # Start by getting the latest EIDSCA config
 $aadsc = Invoke-WebRequest -Uri $AadSecConfigUrl | ConvertFrom-Json
-$aadsc = $aadsc[0].ControlArea
-
-$testTemplate = @'
-Describe "%ControlName%" -Tag "EIDSCA", "Security", "All", "%CheckId%" {
-   It "%CheckId%: %ControlName% - %DisplayName%. See https://maester.dev/docs/tests/%DocName%" {
-      <#
-         Check if "https://graph.microsoft.com/%ApiVersion%/%RelativeUri%"
-         .%CurrentValue% = %RecommendedValue%
-      #>
-      %PSFunctionName% | Should -Be %RecommendedValue%
-   }
-}
-'@
+$aadsc = ($aadsc | Where-Object {$_.CollectedBy -eq "Maester"}).ControlArea
+$Discovery = ($aadsc | where-Object {$_.discovery -ne ""}).Discovery
 
 # Remove previously generated files
 Get-ChildItem -Path $DocsPath -Filter "*.md" -Exclude "readme.md" | Remove-Item -Force
@@ -321,10 +310,29 @@ foreach ($control in $aadsc) {
     Write-Verbose "Generating test for $($control.ControlName)"
 
     $testOutputList = [System.Text.StringBuilder]::new()
+
     foreach ($controlItem in $control.Controls) {
         # Export check only if RecommendedValue is set
         if (($null -ne $controlItem.RecommendedValue -and $controlItem.RecommendedValue -ne "")) {
             $docName = $controlItem.CheckId
+
+$testTemplate = @'
+Describe "%ControlName%" -Tag "EIDSCA", "Security", "All", "%CheckId%" {
+    It "%CheckId%: %ControlName% - %DisplayName%. See https://maester.dev/docs/tests/%DocName%" {
+        <#
+            Check if "https://graph.microsoft.com/%ApiVersion%/%RelativeUri%"
+            .%CurrentValue% = %RecommendedValue%
+        #>
+        %PSFunctionName% | Should -Be %RecommendedValue%
+    }
+}
+'@
+
+            # Add condition to test template if defined in EidscaTest
+            if ($controlItem.SkipCondition -ne "") {
+
+                $testTemplate = $testTemplate.Replace( '"%CheckId%"', '"%CheckId%" -Skip:( ' + $controlItem.SkipCondition + ' )')
+            }
             $testOutput = UpdateTemplate -template $testTemplate -control $control -controlItem $controlItem -docName $docName
             $docsOutput = UpdateTemplate -template $docsTemplate -control $control -controlItem $controlItem -docName $docName -isDoc $true
             $psOutput = UpdateTemplate -template $psTemplate -control $control -controlItem $controlItem -docName $docName
@@ -347,6 +355,15 @@ foreach ($control in $aadsc) {
         [void]$sb.AppendLine($testOutputList)
     }
 }
-$output = $sb.ToString()
 
+$output = @'
+BeforeDiscovery {
+<DiscoveryFromJson>}
+
+'@
+
+# Replace placeholder with Discovery checks from definition in EIDSCA JSON
+$output = $output.Replace('<DiscoveryFromJson>',($Discovery | Out-String))
+
+$output += $sb.ToString()
 $output | Out-File $TestFilePath -Encoding utf8

powershell/public/EIDSCA/Test-MtEidscaAF03.md

@@ -1,4 +1,4 @@
-Requires the FIDO security key metadata to be published and verified with the FIDO Alliance Metadata Service, and also pass Microsoft???s additional set of validation testing.
+Requires the FIDO security key metadata to be published and verified with the FIDO Alliance Metadata Service, and also pass Microsoft's additional set of validation testing.
 
 
 

powershell/public/EIDSCA/Test-MtEidscaAF03.ps1

@@ -4,7 +4,7 @@
 
 .DESCRIPTION
 
-    Requires the FIDO security key metadata to be published and verified with the FIDO Alliance Metadata Service, and also pass Microsoft???s additional set of validation testing.
+    Requires the FIDO security key metadata to be published and verified with the FIDO Alliance Metadata Service, and also pass Microsoft's additional set of validation testing.
 
     Queries policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')
     and returns the result of

powershell/public/EIDSCA/Test-MtEidscaAF04.md

@@ -0,0 +1,18 @@
+Manages if registration of FIDO2 keys should be restricted.
+
+Restrict usage of FIDO2 from unauthorized vendors or platforms
+
+#### Test script
+```
+https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')
+.keyRestrictions.isEnforced = 'true'
+```
+
+#### Related links
+
+- [Open in Graph Explorer](https://developer.microsoft.com/en-us/graph/graph-explorer?request=policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')&method=GET&version=beta&GraphUrl=https://graph.microsoft.com)
+- [fido2AuthenticationMethodConfiguration resource type - Microsoft Graph v1.0 | Microsoft Learn](https://learn.microsoft.com/en-us/graph/api/resources/fido2authenticationmethodconfiguration)
+
+
+<!--- Results --->
+%TestResult%

powershell/public/EIDSCA/Test-MtEidscaAF04.ps1

@@ -0,0 +1,38 @@
+<#
+.SYNOPSIS
+    Checks if Authentication Method - FIDO2 security key - Enforce key restrictions is set to 'true'
+
+.DESCRIPTION
+
+    Manages if registration of FIDO2 keys should be restricted.
+
+    Queries policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')
+    and returns the result of
+     graph/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2').keyRestrictions.isEnforced -eq 'true'
+
+.EXAMPLE
+    Test-MtEidscaAF04
+
+    Returns the result of graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2').keyRestrictions.isEnforced -eq 'true'
+#>
+
+Function Test-MtEidscaAF04 {
+    [CmdletBinding()]
+    [OutputType([bool])]
+    param()
+
+    $result = Invoke-MtGraphRequest -RelativeUri "policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')" -ApiVersion beta
+
+    $tenantValue = $result.keyRestrictions.isEnforced
+    $testResult = $tenantValue -eq 'true'
+
+    if($testResult){
+        $testResultMarkdown = "Well done. Your tenant has the recommended value of **'true'** for **policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')**"
+    }
+    else {
+        $testResultMarkdown = "Your tenant is configured as **$($tenantValue)**.`n`nThe recommended value is **'true'** for **policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')**"
+    }
+    Add-MtTestResultDetail -Result $testResultMarkdown
+
+    return $tenantValue
+}

powershell/public/EIDSCA/Test-MtEidscaAF05.md

@@ -0,0 +1,18 @@
+You can work with your Security key provider to determine the AAGuids of their devices for allowing or blocking usage.
+
+
+
+#### Test script
+```
+https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')
+.keyRestrictions.aaGuids -notcontains $null = 'true'
+```
+
+#### Related links
+
+- [Open in Graph Explorer](https://developer.microsoft.com/en-us/graph/graph-explorer?request=policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')&method=GET&version=beta&GraphUrl=https://graph.microsoft.com)
+- [fido2AuthenticationMethodConfiguration resource type - Microsoft Graph v1.0 | Microsoft Learn](https://learn.microsoft.com/en-us/graph/api/resources/fido2authenticationmethodconfiguration)
+
+
+<!--- Results --->
+%TestResult%

powershell/public/EIDSCA/Test-MtEidscaAF05.ps1

@@ -0,0 +1,38 @@
+<#
+.SYNOPSIS
+    Checks if Authentication Method - FIDO2 security key - Restricted is set to 'true'
+
+.DESCRIPTION
+
+    You can work with your Security key provider to determine the AAGuids of their devices for allowing or blocking usage.
+
+    Queries policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')
+    and returns the result of
+     graph/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2').keyRestrictions.aaGuids -notcontains $null -eq 'true'
+
+.EXAMPLE
+    Test-MtEidscaAF05
+
+    Returns the result of graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2').keyRestrictions.aaGuids -notcontains $null -eq 'true'
+#>
+
+Function Test-MtEidscaAF05 {
+    [CmdletBinding()]
+    [OutputType([bool])]
+    param()
+
+    $result = Invoke-MtGraphRequest -RelativeUri "policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')" -ApiVersion beta
+
+    $tenantValue = $result.keyRestrictions.aaGuids -notcontains $null
+    $testResult = $tenantValue -eq 'true'
+
+    if($testResult){
+        $testResultMarkdown = "Well done. Your tenant has the recommended value of **'true'** for **policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')**"
+    }
+    else {
+        $testResultMarkdown = "Your tenant is configured as **$($tenantValue)**.`n`nThe recommended value is **'true'** for **policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')**"
+    }
+    Add-MtTestResultDetail -Result $testResultMarkdown
+
+    return $tenantValue
+}

powershell/public/EIDSCA/Test-MtEidscaAF06.md

@@ -1,11 +1,11 @@
 Defines if list of AADGUID will be used to allow or block registration.
 
-
+You should use Block or Allow as value to allow- or blocklisting of AAGuids.
 
 #### Test script
 ```
 https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')
-.keyRestrictions.enforcementType = 'block'
+.keyRestrictions.aaGuids -notcontains $null -and ($result.keyRestrictions.enforcementType -eq 'allow' -or $result.keyRestrictions.enforcementType -eq 'block') = 'true'
 ```
 
 #### Related links

powershell/public/EIDSCA/Test-MtEidscaAF06.ps1

@@ -1,19 +1,19 @@
 <#
 .SYNOPSIS
-    Checks if Authentication Method - FIDO2 security key - Restrict specific keys is set to 'block'
+    Checks if Authentication Method - FIDO2 security key - Restrict specific keys is set to 'true'
 
 .DESCRIPTION
 
     Defines if list of AADGUID will be used to allow or block registration.
 
     Queries policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')
     and returns the result of
-     graph/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2').keyRestrictions.enforcementType -eq 'block'
+     graph/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2').keyRestrictions.aaGuids -notcontains $null -and ($result.keyRestrictions.enforcementType -eq 'allow' -or $result.keyRestrictions.enforcementType -eq 'block') -eq 'true'
 
 .EXAMPLE
     Test-MtEidscaAF06
 
-    Returns the result of graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2').keyRestrictions.enforcementType -eq 'block'
+    Returns the result of graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2').keyRestrictions.aaGuids -notcontains $null -and ($result.keyRestrictions.enforcementType -eq 'allow' -or $result.keyRestrictions.enforcementType -eq 'block') -eq 'true'
 #>
 
 Function Test-MtEidscaAF06 {
@@ -23,14 +23,14 @@ Function Test-MtEidscaAF06 {
 
     $result = Invoke-MtGraphRequest -RelativeUri "policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')" -ApiVersion beta
 
-    $tenantValue = $result.keyRestrictions.enforcementType
-    $testResult = $tenantValue -eq 'block'
+    $tenantValue = $result.keyRestrictions.aaGuids -notcontains $null -and ($result.keyRestrictions.enforcementType -eq 'allow' -or $result.keyRestrictions.enforcementType -eq 'block')
+    $testResult = $tenantValue -eq 'true'
 
     if($testResult){
-        $testResultMarkdown = "Well done. Your tenant has the recommended value of **'block'** for **policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')**"
+        $testResultMarkdown = "Well done. Your tenant has the recommended value of **'true'** for **policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')**"
     }
     else {
-        $testResultMarkdown = "Your tenant is configured as **$($tenantValue)**.`n`nThe recommended value is **'block'** for **policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')**"
+        $testResultMarkdown = "Your tenant is configured as **$($tenantValue)**.`n`nThe recommended value is **'true'** for **policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')**"
     }
     Add-MtTestResultDetail -Result $testResultMarkdown
 

powershell/public/EIDSCA/Test-MtEidscaAP08.md

@@ -5,7 +5,7 @@ Microsoft recommends to allow to user consent for apps from verified publisher f
 #### Test script
 ```
 https://graph.microsoft.com/beta/policies/authorizationPolicy
-.permissionGrantPolicyIdsAssignedToDefaultUserRole[2] = 'ManagePermissionGrantsForSelf.microsoft-user-default-low'
+.permissionGrantPolicyIdsAssignedToDefaultUserRole | Sort-Object -Descending | select-object -first 1 = 'ManagePermissionGrantsForSelf.microsoft-user-default-low'
 ```
 
 #### Related links

powershell/public/EIDSCA/Test-MtEidscaAP08.ps1

@@ -8,12 +8,12 @@
 
     Queries policies/authorizationPolicy
     and returns the result of
-     graph/policies/authorizationPolicy.permissionGrantPolicyIdsAssignedToDefaultUserRole[2] -eq 'ManagePermissionGrantsForSelf.microsoft-user-default-low'
+     graph/policies/authorizationPolicy.permissionGrantPolicyIdsAssignedToDefaultUserRole | Sort-Object -Descending | select-object -first 1 -eq 'ManagePermissionGrantsForSelf.microsoft-user-default-low'
 
 .EXAMPLE
     Test-MtEidscaAP08
 
-    Returns the result of graph.microsoft.com/beta/policies/authorizationPolicy.permissionGrantPolicyIdsAssignedToDefaultUserRole[2] -eq 'ManagePermissionGrantsForSelf.microsoft-user-default-low'
+    Returns the result of graph.microsoft.com/beta/policies/authorizationPolicy.permissionGrantPolicyIdsAssignedToDefaultUserRole | Sort-Object -Descending | select-object -first 1 -eq 'ManagePermissionGrantsForSelf.microsoft-user-default-low'
 #>
 
 Function Test-MtEidscaAP08 {
@@ -23,7 +23,7 @@ Function Test-MtEidscaAP08 {
 
     $result = Invoke-MtGraphRequest -RelativeUri "policies/authorizationPolicy" -ApiVersion beta
 
-    $tenantValue = $result.permissionGrantPolicyIdsAssignedToDefaultUserRole[2]
+    $tenantValue = $result.permissionGrantPolicyIdsAssignedToDefaultUserRole | Sort-Object -Descending | select-object -first 1
     $testResult = $tenantValue -eq 'ManagePermissionGrantsForSelf.microsoft-user-default-low'
 
     if($testResult){

powershell/public/EIDSCA/Test-MtEidscaCP04.ps1

@@ -1,6 +1,6 @@
 <#
 .SYNOPSIS
-    Checks if Default Settings - Consent Policy Settings - Users can request admin consent to apps they are unable to consent to??? is set to 'true'
+    Checks if Default Settings - Consent Policy Settings - Users can request admin consent to apps they are unable to consent to is set to 'true'
 
 .DESCRIPTION
 

powershell/public/EIDSCA/Test-MtEidscaCR02.ps1

@@ -1,6 +1,6 @@
 <#
 .SYNOPSIS
-    Checks if Consent Framework - Admin Consent Request - Reviewers will receive email notifications for requests??? is set to 'true'
+    Checks if Consent Framework - Admin Consent Request - Reviewers will receive email notifications for requests is set to 'true'
 
 .DESCRIPTION
 

powershell/public/EIDSCA/Test-MtEidscaCR03.ps1

@@ -1,6 +1,6 @@
 <#
 .SYNOPSIS
-    Checks if Consent Framework - Admin Consent Request - Reviewers will receive email notifications when admin consent requests are about to expire??? is set to 'true'
+    Checks if Consent Framework - Admin Consent Request - Reviewers will receive email notifications when admin consent requests are about to expire is set to 'true'
 
 .DESCRIPTION
 

powershell/public/EIDSCA/Test-MtEidscaCR04.ps1

@@ -1,6 +1,6 @@
 <#
 .SYNOPSIS
-    Checks if Consent Framework - Admin Consent Request - Consent request duration (days)??? is set to '30'
+    Checks if Consent Framework - Admin Consent Request - Consent request duration (days) is set to '30'
 
 .DESCRIPTION
 

powershell/public/Get-MtAuthenticationMethodPolicyConfig.ps1

@@ -0,0 +1,26 @@
+<#
+.SYNOPSIS
+    Get details of authentication methods
+
+.DESCRIPTION
+    This function retrieves the configuration of authentication methods with specific state.
+
+.EXAMPLE
+    Get-MtAuthenticationMethodPolicyConfig -State Enabled
+#>
+function Get-MtAuthenticationMethodPolicyConfig {
+
+    [CmdletBinding()]
+    param(
+        [Parameter(Mandatory = $false)]
+        [ValidateSet("Enabled", "Disabled")]
+        [string]$State
+    )
+
+    Write-Verbose -Message "Getting authenticationMethodConfigurations from Authentication Methods Policy."
+    if ($State) {
+        return (Invoke-MtGraphRequest -RelativeUri 'policies/authenticationMethodsPolicy' -ApiVersion beta).authenticationMethodConfigurations | where-object {$_.state -eq $state}
+    } else {
+        return (Invoke-MtGraphRequest -RelativeUri 'policies/authenticationMethodsPolicy' -ApiVersion beta).authenticationMethodConfigurations
+    }
+}