From ba53fe4a722418ff6fa18a0850c46de8e18acab3 Mon Sep 17 00:00:00 2001 From: cloud-architekt Date: Sun, 31 Mar 2024 20:40:49 +0200 Subject: [PATCH 1/3] Updated EIDSCA tests --- build/EIDSCA/Update-EidscaTests.ps1 | 2 +- powershell/public/EIDSCA/Test-MtEidscaAF03.md | 2 +- powershell/public/EIDSCA/Test-MtEidscaAF03.ps1 | 2 +- powershell/public/EIDSCA/Test-MtEidscaAF06.md | 2 +- powershell/public/EIDSCA/Test-MtEidscaAF06.ps1 | 14 +++++++------- powershell/public/EIDSCA/Test-MtEidscaCR02.ps1 | 2 +- powershell/public/EIDSCA/Test-MtEidscaCR03.ps1 | 2 +- powershell/public/EIDSCA/Test-MtEidscaCR04.ps1 | 2 +- tests/EIDSCA/Test-EIDSCA.Generated.Tests.ps1 | 10 +++++----- website/docs/tests/eidsca/EIDSCA.AF03.md | 2 +- website/docs/tests/eidsca/EIDSCA.AF06.md | 6 +++--- website/docs/tests/eidsca/EIDSCA.CR02.md | 4 ++-- website/docs/tests/eidsca/EIDSCA.CR03.md | 8 ++++---- website/docs/tests/eidsca/EIDSCA.CR04.md | 4 ++-- 14 files changed, 31 insertions(+), 31 deletions(-) diff --git a/build/EIDSCA/Update-EidscaTests.ps1 b/build/EIDSCA/Update-EidscaTests.ps1 index 48bc57db..79b493ba 100644 --- a/build/EIDSCA/Update-EidscaTests.ps1 +++ b/build/EIDSCA/Update-EidscaTests.ps1 @@ -289,7 +289,7 @@ Function GetEidscaPsFunctionName($controlItem) { # Start by getting the latest EIDSCA config $aadsc = Invoke-WebRequest -Uri $AadSecConfigUrl | ConvertFrom-Json -$aadsc = $aadsc[0].ControlArea +$aadsc = ($aadsc | Where-Object {$_.CollectedBy -eq "Maester"}).ControlArea $testTemplate = @' Describe "%ControlName%" -Tag "EIDSCA", "Security", "All", "%CheckId%" { diff --git a/powershell/public/EIDSCA/Test-MtEidscaAF03.md b/powershell/public/EIDSCA/Test-MtEidscaAF03.md index 4bc759b3..6c2b823a 100644 --- a/powershell/public/EIDSCA/Test-MtEidscaAF03.md +++ b/powershell/public/EIDSCA/Test-MtEidscaAF03.md @@ -1,4 +1,4 @@ -Requires the FIDO security key metadata to be published and verified with the FIDO Alliance Metadata Service, and also pass Microsoft???s additional set of validation testing. +Requires the FIDO security key metadata to be published and verified with the FIDO Alliance Metadata Service, and also pass Microsoft's additional set of validation testing. diff --git a/powershell/public/EIDSCA/Test-MtEidscaAF03.ps1 b/powershell/public/EIDSCA/Test-MtEidscaAF03.ps1 index 4c3a02d4..126dcf78 100644 --- a/powershell/public/EIDSCA/Test-MtEidscaAF03.ps1 +++ b/powershell/public/EIDSCA/Test-MtEidscaAF03.ps1 @@ -4,7 +4,7 @@ .DESCRIPTION - Requires the FIDO security key metadata to be published and verified with the FIDO Alliance Metadata Service, and also pass Microsoft???s additional set of validation testing. + Requires the FIDO security key metadata to be published and verified with the FIDO Alliance Metadata Service, and also pass Microsoft's additional set of validation testing. Queries policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2') and returns the result of diff --git a/powershell/public/EIDSCA/Test-MtEidscaAF06.md b/powershell/public/EIDSCA/Test-MtEidscaAF06.md index 18983d58..d8e17709 100644 --- a/powershell/public/EIDSCA/Test-MtEidscaAF06.md +++ b/powershell/public/EIDSCA/Test-MtEidscaAF06.md @@ -5,7 +5,7 @@ Defines if list of AADGUID will be used to allow or block registration. #### Test script ``` https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2') -.keyRestrictions.enforcementType = 'block' +.keyRestrictions.aaGuids -notcontains $null -and ($result.keyRestrictions.enforcementType -eq 'allow' -or $result.keyRestrictions.enforcementType -eq 'block') = 'true' ``` #### Related links diff --git a/powershell/public/EIDSCA/Test-MtEidscaAF06.ps1 b/powershell/public/EIDSCA/Test-MtEidscaAF06.ps1 index 45198048..9e1362f6 100644 --- a/powershell/public/EIDSCA/Test-MtEidscaAF06.ps1 +++ b/powershell/public/EIDSCA/Test-MtEidscaAF06.ps1 @@ -1,6 +1,6 @@ <# .SYNOPSIS - Checks if Authentication Method - FIDO2 security key - Restrict specific keys is set to 'block' + Checks if Authentication Method - FIDO2 security key - Restrict specific keys is set to 'true' .DESCRIPTION @@ -8,12 +8,12 @@ Queries policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2') and returns the result of - graph/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2').keyRestrictions.enforcementType -eq 'block' + graph/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2').keyRestrictions.aaGuids -notcontains $null -and ($result.keyRestrictions.enforcementType -eq 'allow' -or $result.keyRestrictions.enforcementType -eq 'block') -eq 'true' .EXAMPLE Test-MtEidscaAF06 - Returns the result of graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2').keyRestrictions.enforcementType -eq 'block' + Returns the result of graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2').keyRestrictions.aaGuids -notcontains $null -and ($result.keyRestrictions.enforcementType -eq 'allow' -or $result.keyRestrictions.enforcementType -eq 'block') -eq 'true' #> Function Test-MtEidscaAF06 { @@ -23,14 +23,14 @@ Function Test-MtEidscaAF06 { $result = Invoke-MtGraphRequest -RelativeUri "policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')" -ApiVersion beta - $tenantValue = $result.keyRestrictions.enforcementType - $testResult = $tenantValue -eq 'block' + $tenantValue = $result.keyRestrictions.aaGuids -notcontains $null -and ($result.keyRestrictions.enforcementType -eq 'allow' -or $result.keyRestrictions.enforcementType -eq 'block') + $testResult = $tenantValue -eq 'true' if($testResult){ - $testResultMarkdown = "Well done. Your tenant has the recommended value of **'block'** for **policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')**" + $testResultMarkdown = "Well done. Your tenant has the recommended value of **'true'** for **policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')**" } else { - $testResultMarkdown = "Your tenant is configured as **$($tenantValue)**.`n`nThe recommended value is **'block'** for **policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')**" + $testResultMarkdown = "Your tenant is configured as **$($tenantValue)**.`n`nThe recommended value is **'true'** for **policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')**" } Add-MtTestResultDetail -Result $testResultMarkdown diff --git a/powershell/public/EIDSCA/Test-MtEidscaCR02.ps1 b/powershell/public/EIDSCA/Test-MtEidscaCR02.ps1 index 87edb1c4..c543f16a 100644 --- a/powershell/public/EIDSCA/Test-MtEidscaCR02.ps1 +++ b/powershell/public/EIDSCA/Test-MtEidscaCR02.ps1 @@ -1,6 +1,6 @@ <# .SYNOPSIS - Checks if Consent Framework - Admin Consent Request - Reviewers will receive email notifications for requests??? is set to 'true' + Checks if Consent Framework - Admin Consent Request - Reviewers will receive email notifications for requests is set to 'true' .DESCRIPTION diff --git a/powershell/public/EIDSCA/Test-MtEidscaCR03.ps1 b/powershell/public/EIDSCA/Test-MtEidscaCR03.ps1 index 871d0bb2..af0ceea5 100644 --- a/powershell/public/EIDSCA/Test-MtEidscaCR03.ps1 +++ b/powershell/public/EIDSCA/Test-MtEidscaCR03.ps1 @@ -1,6 +1,6 @@ <# .SYNOPSIS - Checks if Consent Framework - Admin Consent Request - Reviewers will receive email notifications when admin consent requests are about to expire??? is set to 'true' + Checks if Consent Framework - Admin Consent Request - Reviewers will receive email notifications when admin consent requests are about to expire is set to 'true' .DESCRIPTION diff --git a/powershell/public/EIDSCA/Test-MtEidscaCR04.ps1 b/powershell/public/EIDSCA/Test-MtEidscaCR04.ps1 index 8f9049a1..279d55eb 100644 --- a/powershell/public/EIDSCA/Test-MtEidscaCR04.ps1 +++ b/powershell/public/EIDSCA/Test-MtEidscaCR04.ps1 @@ -1,6 +1,6 @@ <# .SYNOPSIS - Checks if Consent Framework - Admin Consent Request - Consent request duration (days)??? is set to '30' + Checks if Consent Framework - Admin Consent Request - Consent request duration (days) is set to '30' .DESCRIPTION diff --git a/tests/EIDSCA/Test-EIDSCA.Generated.Tests.ps1 b/tests/EIDSCA/Test-EIDSCA.Generated.Tests.ps1 index 117e909d..180caacf 100644 --- a/tests/EIDSCA/Test-EIDSCA.Generated.Tests.ps1 +++ b/tests/EIDSCA/Test-EIDSCA.Generated.Tests.ps1 @@ -305,9 +305,9 @@ Describe "Authentication Method - FIDO2 security key" -Tag "EIDSCA", "Security", It "EIDSCA.AF06: Authentication Method - FIDO2 security key - Restrict specific keys. See https://maester.dev/docs/tests/EIDSCA.AF06" { <# Check if "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')" - .keyRestrictions.enforcementType = 'block' + .keyRestrictions.aaGuids -notcontains $null -and ($result.keyRestrictions.enforcementType -eq 'allow' -or $result.keyRestrictions.enforcementType -eq 'block') = 'true' #> - Test-MtEidscaAF06 | Should -Be 'block' + Test-MtEidscaAF06 | Should -Be 'true' } } @@ -350,7 +350,7 @@ Describe "Consent Framework - Admin Consent Request" -Tag "EIDSCA", "Security", } } Describe "Consent Framework - Admin Consent Request" -Tag "EIDSCA", "Security", "All", "EIDSCA.CR02" { - It "EIDSCA.CR02: Consent Framework - Admin Consent Request - Reviewers will receive email notifications for requests???. See https://maester.dev/docs/tests/EIDSCA.CR02" { + It "EIDSCA.CR02: Consent Framework - Admin Consent Request - Reviewers will receive email notifications for requests. See https://maester.dev/docs/tests/EIDSCA.CR02" { <# Check if "https://graph.microsoft.com/beta/policies/adminConsentRequestPolicy" .notifyReviewers = 'true' @@ -359,7 +359,7 @@ Describe "Consent Framework - Admin Consent Request" -Tag "EIDSCA", "Security", } } Describe "Consent Framework - Admin Consent Request" -Tag "EIDSCA", "Security", "All", "EIDSCA.CR03" { - It "EIDSCA.CR03: Consent Framework - Admin Consent Request - Reviewers will receive email notifications when admin consent requests are about to expire???. See https://maester.dev/docs/tests/EIDSCA.CR03" { + It "EIDSCA.CR03: Consent Framework - Admin Consent Request - Reviewers will receive email notifications when admin consent requests are about to expire. See https://maester.dev/docs/tests/EIDSCA.CR03" { <# Check if "https://graph.microsoft.com/beta/policies/adminConsentRequestPolicy" .notifyReviewers = 'true' @@ -368,7 +368,7 @@ Describe "Consent Framework - Admin Consent Request" -Tag "EIDSCA", "Security", } } Describe "Consent Framework - Admin Consent Request" -Tag "EIDSCA", "Security", "All", "EIDSCA.CR04" { - It "EIDSCA.CR04: Consent Framework - Admin Consent Request - Consent request duration (days)???. See https://maester.dev/docs/tests/EIDSCA.CR04" { + It "EIDSCA.CR04: Consent Framework - Admin Consent Request - Consent request duration (days). See https://maester.dev/docs/tests/EIDSCA.CR04" { <# Check if "https://graph.microsoft.com/beta/policies/adminConsentRequestPolicy" .requestDurationInDays = '30' diff --git a/website/docs/tests/eidsca/EIDSCA.AF03.md b/website/docs/tests/eidsca/EIDSCA.AF03.md index 42a00c56..9e14f102 100644 --- a/website/docs/tests/eidsca/EIDSCA.AF03.md +++ b/website/docs/tests/eidsca/EIDSCA.AF03.md @@ -6,7 +6,7 @@ sidebar_class_name: hidden # Authentication Method - FIDO2 security key - Enforce attestation -Requires the FIDO security key metadata to be published and verified with the FIDO Alliance Metadata Service, and also pass Microsoft???s additional set of validation testing. +Requires the FIDO security key metadata to be published and verified with the FIDO Alliance Metadata Service, and also pass Microsoft's additional set of validation testing. | | | |-|-| diff --git a/website/docs/tests/eidsca/EIDSCA.AF06.md b/website/docs/tests/eidsca/EIDSCA.AF06.md index 11ac0c50..d4002ee5 100644 --- a/website/docs/tests/eidsca/EIDSCA.AF06.md +++ b/website/docs/tests/eidsca/EIDSCA.AF06.md @@ -20,9 +20,9 @@ Defines if list of AADGUID will be used to allow or block registration. |-|-| | **Recommendation** | | | **Configuration** | policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2') | -| **Setting** | `keyRestrictions.enforcementType` | -| **Recommended Value** | 'block' | -| **Default Value** | block | +| **Setting** | `keyRestrictions.aaGuids -notcontains $null -and ($result.keyRestrictions.enforcementType -eq 'allow' -or $result.keyRestrictions.enforcementType -eq 'block')` | +| **Recommended Value** | 'true' | +| **Default Value** | false | | **Graph API Docs** | [fido2AuthenticationMethodConfiguration resource type - Microsoft Graph v1.0 - Microsoft Learn](https://learn.microsoft.com/en-us/graph/api/resources/fido2authenticationmethodconfiguration) | | **Graph Explorer** | [Open in Graph Explorer](https://developer.microsoft.com/en-us/graph/graph-explorer?request=policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')&method=GET&version=beta&GraphUrl=https://graph.microsoft.com) | diff --git a/website/docs/tests/eidsca/EIDSCA.CR02.md b/website/docs/tests/eidsca/EIDSCA.CR02.md index cb92dd93..22cbb23a 100644 --- a/website/docs/tests/eidsca/EIDSCA.CR02.md +++ b/website/docs/tests/eidsca/EIDSCA.CR02.md @@ -1,10 +1,10 @@ --- -title: EIDSCA.CR02 - Consent Framework - Admin Consent Request - Reviewers will receive email notifications for requests??? +title: EIDSCA.CR02 - Consent Framework - Admin Consent Request - Reviewers will receive email notifications for requests slug: /tests/EIDSCA.CR02 sidebar_class_name: hidden --- -# Consent Framework - Admin Consent Request - Reviewers will receive email notifications for requests??? +# Consent Framework - Admin Consent Request - Reviewers will receive email notifications for requests Specifies whether reviewers will receive notifications diff --git a/website/docs/tests/eidsca/EIDSCA.CR03.md b/website/docs/tests/eidsca/EIDSCA.CR03.md index 1166d433..40615aba 100644 --- a/website/docs/tests/eidsca/EIDSCA.CR03.md +++ b/website/docs/tests/eidsca/EIDSCA.CR03.md @@ -1,10 +1,10 @@ --- -title: EIDSCA.CR03 - Consent Framework - Admin Consent Request - Reviewers will receive email notifications when admin consent requests are about to expire??? +title: EIDSCA.CR03 - Consent Framework - Admin Consent Request - Reviewers will receive email notifications when admin consent requests are about to expire slug: /tests/EIDSCA.CR03 sidebar_class_name: hidden --- -# Consent Framework - Admin Consent Request - Reviewers will receive email notifications when admin consent requests are about to expire??? +# Consent Framework - Admin Consent Request - Reviewers will receive email notifications when admin consent requests are about to expire Specifies whether reviewers will receive reminder emails @@ -38,7 +38,7 @@ mindmap TA0006 - Credential Access - Credential Access TA0008 - Lateral Movement - Lateral Movement (Mitigation) - M1018 - User Account Management + M1018 - User Account Management M1017 - User Training (Technique) T1078 - Valid Accounts @@ -49,5 +49,5 @@ mindmap ``` |Tactic|Technique|Mitigation| |---|---|---| -|[TA0001 - Initial Access - Initial Access](https://attack.mitre.org/tactics/TA0001)
[TA0005 - Defense Evasion - Defense Evasion](https://attack.mitre.org/tactics/TA0005)
[TA0006 - Credential Access - Credential Access](https://attack.mitre.org/tactics/TA0006)
[TA0008 - Lateral Movement - Lateral Movement](https://attack.mitre.org/tactics/TA0008)|[T1078 - Valid Accounts](https://attack.mitre.org/techniques/T1078)
[T1528 - Steal Application Access Token](https://attack.mitre.org/techniques/T1528)
[T1550 - Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550)
[T1550.001 - Use Alternate Authentication Material: Application Access Token](https://attack.mitre.org/techniques/T1550/001)
[T1566.002 - Phishing: Spearphishing Link](https://attack.mitre.org/techniques/T1566/002)|[ M1018 - User Account Management](https://attack.mitre.org/mitigations/M1018)
[M1017 - User Training](https://attack.mitre.org/mitigations/M1017)| +|[TA0001 - Initial Access - Initial Access](https://attack.mitre.org/tactics/TA0001)
[TA0005 - Defense Evasion - Defense Evasion](https://attack.mitre.org/tactics/TA0005)
[TA0006 - Credential Access - Credential Access](https://attack.mitre.org/tactics/TA0006)
[TA0008 - Lateral Movement - Lateral Movement](https://attack.mitre.org/tactics/TA0008)|[T1078 - Valid Accounts](https://attack.mitre.org/techniques/T1078)
[T1528 - Steal Application Access Token](https://attack.mitre.org/techniques/T1528)
[T1550 - Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550)
[T1550.001 - Use Alternate Authentication Material: Application Access Token](https://attack.mitre.org/techniques/T1550/001)
[T1566.002 - Phishing: Spearphishing Link](https://attack.mitre.org/techniques/T1566/002)|[M1018 - User Account Management](https://attack.mitre.org/mitigations/M1018)
[M1017 - User Training](https://attack.mitre.org/mitigations/M1017)| diff --git a/website/docs/tests/eidsca/EIDSCA.CR04.md b/website/docs/tests/eidsca/EIDSCA.CR04.md index 6107bcd2..09112d5b 100644 --- a/website/docs/tests/eidsca/EIDSCA.CR04.md +++ b/website/docs/tests/eidsca/EIDSCA.CR04.md @@ -1,10 +1,10 @@ --- -title: EIDSCA.CR04 - Consent Framework - Admin Consent Request - Consent request duration (days)??? +title: EIDSCA.CR04 - Consent Framework - Admin Consent Request - Consent request duration (days) slug: /tests/EIDSCA.CR04 sidebar_class_name: hidden --- -# Consent Framework - Admin Consent Request - Consent request duration (days)??? +# Consent Framework - Admin Consent Request - Consent request duration (days) Specifies the duration the request is active before it automatically expires if no decision is applied From 9999ee95df5475426eba6bc5a463b625bf7dd31d Mon Sep 17 00:00:00 2001 From: cloud-architekt Date: Mon, 1 Apr 2024 19:59:44 +0200 Subject: [PATCH 2/3] EIDSCA Checks with Conditions and Discovery --- build/EIDSCA/Update-EidscaTests.ps1 | 52 +- powershell/public/EIDSCA/Test-MtEidscaAF04.md | 18 + .../public/EIDSCA/Test-MtEidscaAF04.ps1 | 38 + powershell/public/EIDSCA/Test-MtEidscaAF05.md | 18 + .../public/EIDSCA/Test-MtEidscaAF05.ps1 | 38 + powershell/public/EIDSCA/Test-MtEidscaAF06.md | 2 +- powershell/public/EIDSCA/Test-MtEidscaAP08.md | 2 +- .../public/EIDSCA/Test-MtEidscaAP08.ps1 | 6 +- .../public/EIDSCA/Test-MtEidscaCP04.ps1 | 2 +- ...Get-MtAuthenticationMethodPolicyConfig.ps1 | 26 + tests/EIDSCA/Test-EIDSCA.Generated.Tests.ps1 | 652 +++++++++--------- website/docs/tests/eidsca/EIDSCA.AF04.md | 30 + website/docs/tests/eidsca/EIDSCA.AF05.md | 30 + website/docs/tests/eidsca/EIDSCA.AF06.md | 2 +- website/docs/tests/eidsca/EIDSCA.AP08.md | 6 +- website/docs/tests/eidsca/EIDSCA.CP04.md | 4 +- 16 files changed, 586 insertions(+), 340 deletions(-) create mode 100644 powershell/public/EIDSCA/Test-MtEidscaAF04.md create mode 100644 powershell/public/EIDSCA/Test-MtEidscaAF04.ps1 create mode 100644 powershell/public/EIDSCA/Test-MtEidscaAF05.md create mode 100644 powershell/public/EIDSCA/Test-MtEidscaAF05.ps1 create mode 100644 powershell/public/Get-MtAuthenticationMethodPolicyConfig.ps1 create mode 100644 website/docs/tests/eidsca/EIDSCA.AF04.md create mode 100644 website/docs/tests/eidsca/EIDSCA.AF05.md diff --git a/build/EIDSCA/Update-EidscaTests.ps1 b/build/EIDSCA/Update-EidscaTests.ps1 index 79b493ba..104f0d79 100644 --- a/build/EIDSCA/Update-EidscaTests.ps1 +++ b/build/EIDSCA/Update-EidscaTests.ps1 @@ -290,18 +290,7 @@ Function GetEidscaPsFunctionName($controlItem) { # Start by getting the latest EIDSCA config $aadsc = Invoke-WebRequest -Uri $AadSecConfigUrl | ConvertFrom-Json $aadsc = ($aadsc | Where-Object {$_.CollectedBy -eq "Maester"}).ControlArea - -$testTemplate = @' -Describe "%ControlName%" -Tag "EIDSCA", "Security", "All", "%CheckId%" { - It "%CheckId%: %ControlName% - %DisplayName%. See https://maester.dev/docs/tests/%DocName%" { - <# - Check if "https://graph.microsoft.com/%ApiVersion%/%RelativeUri%" - .%CurrentValue% = %RecommendedValue% - #> - %PSFunctionName% | Should -Be %RecommendedValue% - } -} -'@ +$Discovery = ($aadsc | where-Object {$_.discovery -ne ""}).Discovery # Remove previously generated files Get-ChildItem -Path $DocsPath -Filter "*.md" -Exclude "readme.md" | Remove-Item -Force @@ -321,10 +310,29 @@ foreach ($control in $aadsc) { Write-Verbose "Generating test for $($control.ControlName)" $testOutputList = [System.Text.StringBuilder]::new() + foreach ($controlItem in $control.Controls) { # Export check only if RecommendedValue is set if (($null -ne $controlItem.RecommendedValue -and $controlItem.RecommendedValue -ne "")) { $docName = $controlItem.CheckId + +$testTemplate = @' +Describe "%ControlName%" -Tag "EIDSCA", "Security", "All", "%CheckId%" { + It "%CheckId%: %ControlName% - %DisplayName%. See https://maester.dev/docs/tests/%DocName%" { + <# + Check if "https://graph.microsoft.com/%ApiVersion%/%RelativeUri%" + .%CurrentValue% = %RecommendedValue% + #> + %PSFunctionName% | Should -Be %RecommendedValue% + } +} +'@ + + # Add condition to test template if defined in EidscaTest + if ($controlItem.SkipCondition -ne "") { + + $testTemplate = $testTemplate.Replace( '"%CheckId%"', '"%CheckId%" -Skip:( ' + $controlItem.SkipCondition + ' )') + } $testOutput = UpdateTemplate -template $testTemplate -control $control -controlItem $controlItem -docName $docName $docsOutput = UpdateTemplate -template $docsTemplate -control $control -controlItem $controlItem -docName $docName -isDoc $true $psOutput = UpdateTemplate -template $psTemplate -control $control -controlItem $controlItem -docName $docName @@ -347,6 +355,24 @@ foreach ($control in $aadsc) { [void]$sb.AppendLine($testOutputList) } } -$output = $sb.ToString() +$output = @' +BeforeDiscovery { + $EntraIDPlan = Get-MtLicenseInformation -Product "EntraID" + $EnabledAuthMethods = (Get-MtAuthenticationMethodPolicyConfig -State Enabled).Id + $EnabledAdminConsentWorkflow = (Invoke-MtGraphRequest -RelativeUri 'policies/adminConsentRequestPolicy' -ApiVersion beta).isenabled +} + +'@ + +$output = @' +BeforeDiscovery { +} + +'@ + + +$output = $output.Replace('',($Discovery | Out-String)) + +$output += $sb.ToString() $output | Out-File $TestFilePath -Encoding utf8 \ No newline at end of file diff --git a/powershell/public/EIDSCA/Test-MtEidscaAF04.md b/powershell/public/EIDSCA/Test-MtEidscaAF04.md new file mode 100644 index 00000000..f3ac3053 --- /dev/null +++ b/powershell/public/EIDSCA/Test-MtEidscaAF04.md @@ -0,0 +1,18 @@ +Manages if registration of FIDO2 keys should be restricted. + +Restrict usage of FIDO2 from unauthorized vendors or platforms + +#### Test script +``` +https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2') +.keyRestrictions.isEnforced = 'true' +``` + +#### Related links + +- [Open in Graph Explorer](https://developer.microsoft.com/en-us/graph/graph-explorer?request=policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')&method=GET&version=beta&GraphUrl=https://graph.microsoft.com) +- [fido2AuthenticationMethodConfiguration resource type - Microsoft Graph v1.0 | Microsoft Learn](https://learn.microsoft.com/en-us/graph/api/resources/fido2authenticationmethodconfiguration) + + + +%TestResult% diff --git a/powershell/public/EIDSCA/Test-MtEidscaAF04.ps1 b/powershell/public/EIDSCA/Test-MtEidscaAF04.ps1 new file mode 100644 index 00000000..e660b42a --- /dev/null +++ b/powershell/public/EIDSCA/Test-MtEidscaAF04.ps1 @@ -0,0 +1,38 @@ +<# +.SYNOPSIS + Checks if Authentication Method - FIDO2 security key - Enforce key restrictions is set to 'true' + +.DESCRIPTION + + Manages if registration of FIDO2 keys should be restricted. + + Queries policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2') + and returns the result of + graph/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2').keyRestrictions.isEnforced -eq 'true' + +.EXAMPLE + Test-MtEidscaAF04 + + Returns the result of graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2').keyRestrictions.isEnforced -eq 'true' +#> + +Function Test-MtEidscaAF04 { + [CmdletBinding()] + [OutputType([bool])] + param() + + $result = Invoke-MtGraphRequest -RelativeUri "policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')" -ApiVersion beta + + $tenantValue = $result.keyRestrictions.isEnforced + $testResult = $tenantValue -eq 'true' + + if($testResult){ + $testResultMarkdown = "Well done. Your tenant has the recommended value of **'true'** for **policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')**" + } + else { + $testResultMarkdown = "Your tenant is configured as **$($tenantValue)**.`n`nThe recommended value is **'true'** for **policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')**" + } + Add-MtTestResultDetail -Result $testResultMarkdown + + return $tenantValue +} diff --git a/powershell/public/EIDSCA/Test-MtEidscaAF05.md b/powershell/public/EIDSCA/Test-MtEidscaAF05.md new file mode 100644 index 00000000..c2cc1261 --- /dev/null +++ b/powershell/public/EIDSCA/Test-MtEidscaAF05.md @@ -0,0 +1,18 @@ +You can work with your Security key provider to determine the AAGuids of their devices for allowing or blocking usage. + + + +#### Test script +``` +https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2') +.keyRestrictions.aaGuids -notcontains $null = 'true' +``` + +#### Related links + +- [Open in Graph Explorer](https://developer.microsoft.com/en-us/graph/graph-explorer?request=policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')&method=GET&version=beta&GraphUrl=https://graph.microsoft.com) +- [fido2AuthenticationMethodConfiguration resource type - Microsoft Graph v1.0 | Microsoft Learn](https://learn.microsoft.com/en-us/graph/api/resources/fido2authenticationmethodconfiguration) + + + +%TestResult% diff --git a/powershell/public/EIDSCA/Test-MtEidscaAF05.ps1 b/powershell/public/EIDSCA/Test-MtEidscaAF05.ps1 new file mode 100644 index 00000000..e64bd305 --- /dev/null +++ b/powershell/public/EIDSCA/Test-MtEidscaAF05.ps1 @@ -0,0 +1,38 @@ +<# +.SYNOPSIS + Checks if Authentication Method - FIDO2 security key - Restricted is set to 'true' + +.DESCRIPTION + + You can work with your Security key provider to determine the AAGuids of their devices for allowing or blocking usage. + + Queries policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2') + and returns the result of + graph/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2').keyRestrictions.aaGuids -notcontains $null -eq 'true' + +.EXAMPLE + Test-MtEidscaAF05 + + Returns the result of graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2').keyRestrictions.aaGuids -notcontains $null -eq 'true' +#> + +Function Test-MtEidscaAF05 { + [CmdletBinding()] + [OutputType([bool])] + param() + + $result = Invoke-MtGraphRequest -RelativeUri "policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')" -ApiVersion beta + + $tenantValue = $result.keyRestrictions.aaGuids -notcontains $null + $testResult = $tenantValue -eq 'true' + + if($testResult){ + $testResultMarkdown = "Well done. Your tenant has the recommended value of **'true'** for **policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')**" + } + else { + $testResultMarkdown = "Your tenant is configured as **$($tenantValue)**.`n`nThe recommended value is **'true'** for **policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')**" + } + Add-MtTestResultDetail -Result $testResultMarkdown + + return $tenantValue +} diff --git a/powershell/public/EIDSCA/Test-MtEidscaAF06.md b/powershell/public/EIDSCA/Test-MtEidscaAF06.md index d8e17709..fd00c06b 100644 --- a/powershell/public/EIDSCA/Test-MtEidscaAF06.md +++ b/powershell/public/EIDSCA/Test-MtEidscaAF06.md @@ -1,6 +1,6 @@ Defines if list of AADGUID will be used to allow or block registration. - +You should use Block or Allow as value to allow- or blocklisting of AAGuids. #### Test script ``` diff --git a/powershell/public/EIDSCA/Test-MtEidscaAP08.md b/powershell/public/EIDSCA/Test-MtEidscaAP08.md index 362179d2..851b147b 100644 --- a/powershell/public/EIDSCA/Test-MtEidscaAP08.md +++ b/powershell/public/EIDSCA/Test-MtEidscaAP08.md @@ -5,7 +5,7 @@ Microsoft recommends to allow to user consent for apps from verified publisher f #### Test script ``` https://graph.microsoft.com/beta/policies/authorizationPolicy -.permissionGrantPolicyIdsAssignedToDefaultUserRole[2] = 'ManagePermissionGrantsForSelf.microsoft-user-default-low' +.permissionGrantPolicyIdsAssignedToDefaultUserRole | Sort-Object -Descending | select-object -first 1 = 'ManagePermissionGrantsForSelf.microsoft-user-default-low' ``` #### Related links diff --git a/powershell/public/EIDSCA/Test-MtEidscaAP08.ps1 b/powershell/public/EIDSCA/Test-MtEidscaAP08.ps1 index 91f5de8e..049995de 100644 --- a/powershell/public/EIDSCA/Test-MtEidscaAP08.ps1 +++ b/powershell/public/EIDSCA/Test-MtEidscaAP08.ps1 @@ -8,12 +8,12 @@ Queries policies/authorizationPolicy and returns the result of - graph/policies/authorizationPolicy.permissionGrantPolicyIdsAssignedToDefaultUserRole[2] -eq 'ManagePermissionGrantsForSelf.microsoft-user-default-low' + graph/policies/authorizationPolicy.permissionGrantPolicyIdsAssignedToDefaultUserRole | Sort-Object -Descending | select-object -first 1 -eq 'ManagePermissionGrantsForSelf.microsoft-user-default-low' .EXAMPLE Test-MtEidscaAP08 - Returns the result of graph.microsoft.com/beta/policies/authorizationPolicy.permissionGrantPolicyIdsAssignedToDefaultUserRole[2] -eq 'ManagePermissionGrantsForSelf.microsoft-user-default-low' + Returns the result of graph.microsoft.com/beta/policies/authorizationPolicy.permissionGrantPolicyIdsAssignedToDefaultUserRole | Sort-Object -Descending | select-object -first 1 -eq 'ManagePermissionGrantsForSelf.microsoft-user-default-low' #> Function Test-MtEidscaAP08 { @@ -23,7 +23,7 @@ Function Test-MtEidscaAP08 { $result = Invoke-MtGraphRequest -RelativeUri "policies/authorizationPolicy" -ApiVersion beta - $tenantValue = $result.permissionGrantPolicyIdsAssignedToDefaultUserRole[2] + $tenantValue = $result.permissionGrantPolicyIdsAssignedToDefaultUserRole | Sort-Object -Descending | select-object -first 1 $testResult = $tenantValue -eq 'ManagePermissionGrantsForSelf.microsoft-user-default-low' if($testResult){ diff --git a/powershell/public/EIDSCA/Test-MtEidscaCP04.ps1 b/powershell/public/EIDSCA/Test-MtEidscaCP04.ps1 index 14d74118..100538af 100644 --- a/powershell/public/EIDSCA/Test-MtEidscaCP04.ps1 +++ b/powershell/public/EIDSCA/Test-MtEidscaCP04.ps1 @@ -1,6 +1,6 @@ <# .SYNOPSIS - Checks if Default Settings - Consent Policy Settings - Users can request admin consent to apps they are unable to consent to??? is set to 'true' + Checks if Default Settings - Consent Policy Settings - Users can request admin consent to apps they are unable to consent to is set to 'true' .DESCRIPTION diff --git a/powershell/public/Get-MtAuthenticationMethodPolicyConfig.ps1 b/powershell/public/Get-MtAuthenticationMethodPolicyConfig.ps1 new file mode 100644 index 00000000..8fe91200 --- /dev/null +++ b/powershell/public/Get-MtAuthenticationMethodPolicyConfig.ps1 @@ -0,0 +1,26 @@ +<# +.SYNOPSIS + Get details of authentication methods + +.DESCRIPTION + This function retrieves the configuration of authentication methods with specific state. + +.EXAMPLE + Get-MtAuthenticationMethodPolicyConfig -State Enabled +#> +function Get-MtAuthenticationMethodPolicyConfig { + + [CmdletBinding()] + param( + [Parameter(Mandatory = $false)] + [ValidateSet("Enabled", "Disabled")] + [string]$State + ) + + Write-Verbose -Message "Getting authenticationMethodConfigurations from Authentication Methods Policy." + if ($State) { + return (Invoke-MtGraphRequest -RelativeUri 'policies/authenticationMethodsPolicy' -ApiVersion beta).authenticationMethodConfigurations | where-object {$_.state -eq $state} + } else { + return (Invoke-MtGraphRequest -RelativeUri 'policies/authenticationMethodsPolicy' -ApiVersion beta).authenticationMethodConfigurations + } +} \ No newline at end of file diff --git a/tests/EIDSCA/Test-EIDSCA.Generated.Tests.ps1 b/tests/EIDSCA/Test-EIDSCA.Generated.Tests.ps1 index 180caacf..efe3d711 100644 --- a/tests/EIDSCA/Test-EIDSCA.Generated.Tests.ps1 +++ b/tests/EIDSCA/Test-EIDSCA.Generated.Tests.ps1 @@ -1,380 +1,402 @@ +BeforeDiscovery { +$EnabledAuthMethods = (Get-MtAuthenticationMethodPolicyConfig -State Enabled).Id +$EnabledAdminConsentWorkflow = (Invoke-MtGraphRequest -RelativeUri 'policies/adminConsentRequestPolicy' -ApiVersion beta).isenabled +} Describe "Default Authorization Settings" -Tag "EIDSCA", "Security", "All", "EIDSCA.AP01" { - It "EIDSCA.AP01: Default Authorization Settings - Enabled Self service password reset. See https://maester.dev/docs/tests/EIDSCA.AP01" { - <# - Check if "https://graph.microsoft.com/beta/policies/authorizationPolicy" - .allowedToUseSSPR = 'true' - #> - Test-MtEidscaAP01 | Should -Be 'true' - } + It "EIDSCA.AP01: Default Authorization Settings - Enabled Self service password reset. See https://maester.dev/docs/tests/EIDSCA.AP01" { + <# + Check if "https://graph.microsoft.com/beta/policies/authorizationPolicy" + .allowedToUseSSPR = 'true' + #> + Test-MtEidscaAP01 | Should -Be 'true' + } } Describe "Default Authorization Settings" -Tag "EIDSCA", "Security", "All", "EIDSCA.AP04" { - It "EIDSCA.AP04: Default Authorization Settings - Guest invite restrictions. See https://maester.dev/docs/tests/EIDSCA.AP04" { - <# - Check if "https://graph.microsoft.com/beta/policies/authorizationPolicy" - .allowInvitesFrom = 'adminsAndGuestInviters' - #> - Test-MtEidscaAP04 | Should -Be 'adminsAndGuestInviters' - } + It "EIDSCA.AP04: Default Authorization Settings - Guest invite restrictions. See https://maester.dev/docs/tests/EIDSCA.AP04" { + <# + Check if "https://graph.microsoft.com/beta/policies/authorizationPolicy" + .allowInvitesFrom = 'adminsAndGuestInviters' + #> + Test-MtEidscaAP04 | Should -Be 'adminsAndGuestInviters' + } } Describe "Default Authorization Settings" -Tag "EIDSCA", "Security", "All", "EIDSCA.AP05" { - It "EIDSCA.AP05: Default Authorization Settings - Sign-up for email based subscription. See https://maester.dev/docs/tests/EIDSCA.AP05" { - <# - Check if "https://graph.microsoft.com/beta/policies/authorizationPolicy" - .allowedToSignUpEmailBasedSubscriptions = 'false' - #> - Test-MtEidscaAP05 | Should -Be 'false' - } + It "EIDSCA.AP05: Default Authorization Settings - Sign-up for email based subscription. See https://maester.dev/docs/tests/EIDSCA.AP05" { + <# + Check if "https://graph.microsoft.com/beta/policies/authorizationPolicy" + .allowedToSignUpEmailBasedSubscriptions = 'false' + #> + Test-MtEidscaAP05 | Should -Be 'false' + } } Describe "Default Authorization Settings" -Tag "EIDSCA", "Security", "All", "EIDSCA.AP06" { - It "EIDSCA.AP06: Default Authorization Settings - User can joint the tenant by email validation. See https://maester.dev/docs/tests/EIDSCA.AP06" { - <# - Check if "https://graph.microsoft.com/beta/policies/authorizationPolicy" - .allowEmailVerifiedUsersToJoinOrganization = 'false' - #> - Test-MtEidscaAP06 | Should -Be 'false' - } + It "EIDSCA.AP06: Default Authorization Settings - User can joint the tenant by email validation. See https://maester.dev/docs/tests/EIDSCA.AP06" { + <# + Check if "https://graph.microsoft.com/beta/policies/authorizationPolicy" + .allowEmailVerifiedUsersToJoinOrganization = 'false' + #> + Test-MtEidscaAP06 | Should -Be 'false' + } } Describe "Default Authorization Settings" -Tag "EIDSCA", "Security", "All", "EIDSCA.AP07" { - It "EIDSCA.AP07: Default Authorization Settings - Guest user access. See https://maester.dev/docs/tests/EIDSCA.AP07" { - <# - Check if "https://graph.microsoft.com/beta/policies/authorizationPolicy" - .guestUserRoleId = '2af84b1e-32c8-42b7-82bc-daa82404023b' - #> - Test-MtEidscaAP07 | Should -Be '2af84b1e-32c8-42b7-82bc-daa82404023b' - } + It "EIDSCA.AP07: Default Authorization Settings - Guest user access. See https://maester.dev/docs/tests/EIDSCA.AP07" { + <# + Check if "https://graph.microsoft.com/beta/policies/authorizationPolicy" + .guestUserRoleId = '2af84b1e-32c8-42b7-82bc-daa82404023b' + #> + Test-MtEidscaAP07 | Should -Be '2af84b1e-32c8-42b7-82bc-daa82404023b' + } } Describe "Default Authorization Settings" -Tag "EIDSCA", "Security", "All", "EIDSCA.AP08" { - It "EIDSCA.AP08: Default Authorization Settings - User consent policy assigned for applications. See https://maester.dev/docs/tests/EIDSCA.AP08" { - <# - Check if "https://graph.microsoft.com/beta/policies/authorizationPolicy" - .permissionGrantPolicyIdsAssignedToDefaultUserRole[2] = 'ManagePermissionGrantsForSelf.microsoft-user-default-low' - #> - Test-MtEidscaAP08 | Should -Be 'ManagePermissionGrantsForSelf.microsoft-user-default-low' - } + It "EIDSCA.AP08: Default Authorization Settings - User consent policy assigned for applications. See https://maester.dev/docs/tests/EIDSCA.AP08" { + <# + Check if "https://graph.microsoft.com/beta/policies/authorizationPolicy" + .permissionGrantPolicyIdsAssignedToDefaultUserRole | Sort-Object -Descending | select-object -first 1 = 'ManagePermissionGrantsForSelf.microsoft-user-default-low' + #> + Test-MtEidscaAP08 | Should -Be 'ManagePermissionGrantsForSelf.microsoft-user-default-low' + } } Describe "Default Authorization Settings" -Tag "EIDSCA", "Security", "All", "EIDSCA.AP09" { - It "EIDSCA.AP09: Default Authorization Settings - Risk-based step-up consent. See https://maester.dev/docs/tests/EIDSCA.AP09" { - <# - Check if "https://graph.microsoft.com/beta/policies/authorizationPolicy" - .allowUserConsentForRiskyApps = 'false' - #> - Test-MtEidscaAP09 | Should -Be 'false' - } + It "EIDSCA.AP09: Default Authorization Settings - Risk-based step-up consent. See https://maester.dev/docs/tests/EIDSCA.AP09" { + <# + Check if "https://graph.microsoft.com/beta/policies/authorizationPolicy" + .allowUserConsentForRiskyApps = 'false' + #> + Test-MtEidscaAP09 | Should -Be 'false' + } } Describe "Default Authorization Settings" -Tag "EIDSCA", "Security", "All", "EIDSCA.AP10" { - It "EIDSCA.AP10: Default Authorization Settings - Default User Role Permissions - Allowed to create Apps. See https://maester.dev/docs/tests/EIDSCA.AP10" { - <# - Check if "https://graph.microsoft.com/beta/policies/authorizationPolicy" - .defaultUserRolePermissions.allowedToCreateApps = 'false' - #> - Test-MtEidscaAP10 | Should -Be 'false' - } + It "EIDSCA.AP10: Default Authorization Settings - Default User Role Permissions - Allowed to create Apps. See https://maester.dev/docs/tests/EIDSCA.AP10" { + <# + Check if "https://graph.microsoft.com/beta/policies/authorizationPolicy" + .defaultUserRolePermissions.allowedToCreateApps = 'false' + #> + Test-MtEidscaAP10 | Should -Be 'false' + } } Describe "Default Authorization Settings" -Tag "EIDSCA", "Security", "All", "EIDSCA.AP14" { - It "EIDSCA.AP14: Default Authorization Settings - Default User Role Permissions - Allowed to read other users. See https://maester.dev/docs/tests/EIDSCA.AP14" { - <# - Check if "https://graph.microsoft.com/beta/policies/authorizationPolicy" - .defaultUserRolePermissions.allowedToReadOtherUsers = 'true' - #> - Test-MtEidscaAP14 | Should -Be 'true' - } + It "EIDSCA.AP14: Default Authorization Settings - Default User Role Permissions - Allowed to read other users. See https://maester.dev/docs/tests/EIDSCA.AP14" { + <# + Check if "https://graph.microsoft.com/beta/policies/authorizationPolicy" + .defaultUserRolePermissions.allowedToReadOtherUsers = 'true' + #> + Test-MtEidscaAP14 | Should -Be 'true' + } } Describe "Default Settings - Consent Policy Settings" -Tag "EIDSCA", "Security", "All", "EIDSCA.CP01" { - It "EIDSCA.CP01: Default Settings - Consent Policy Settings - Group owner consent for apps accessing data. See https://maester.dev/docs/tests/EIDSCA.CP01" { - <# - Check if "https://graph.microsoft.com/beta/settings" - .values | where-object name -eq 'EnableGroupSpecificConsent' | select-object -expand value = 'False' - #> - Test-MtEidscaCP01 | Should -Be 'False' - } + It "EIDSCA.CP01: Default Settings - Consent Policy Settings - Group owner consent for apps accessing data. See https://maester.dev/docs/tests/EIDSCA.CP01" { + <# + Check if "https://graph.microsoft.com/beta/settings" + .values | where-object name -eq 'EnableGroupSpecificConsent' | select-object -expand value = 'False' + #> + Test-MtEidscaCP01 | Should -Be 'False' + } } Describe "Default Settings - Consent Policy Settings" -Tag "EIDSCA", "Security", "All", "EIDSCA.CP03" { - It "EIDSCA.CP03: Default Settings - Consent Policy Settings - Block user consent for risky apps. See https://maester.dev/docs/tests/EIDSCA.CP03" { - <# - Check if "https://graph.microsoft.com/beta/settings" - .values | where-object name -eq 'BlockUserConsentForRiskyApps' | select-object -expand value = 'true' - #> - Test-MtEidscaCP03 | Should -Be 'true' - } + It "EIDSCA.CP03: Default Settings - Consent Policy Settings - Block user consent for risky apps. See https://maester.dev/docs/tests/EIDSCA.CP03" { + <# + Check if "https://graph.microsoft.com/beta/settings" + .values | where-object name -eq 'BlockUserConsentForRiskyApps' | select-object -expand value = 'true' + #> + Test-MtEidscaCP03 | Should -Be 'true' + } } Describe "Default Settings - Consent Policy Settings" -Tag "EIDSCA", "Security", "All", "EIDSCA.CP04" { - It "EIDSCA.CP04: Default Settings - Consent Policy Settings - Users can request admin consent to apps they are unable to consent to???. See https://maester.dev/docs/tests/EIDSCA.CP04" { - <# - Check if "https://graph.microsoft.com/beta/settings" - .values | where-object name -eq 'EnableAdminConsentRequests' | select-object -expand value = 'true' - #> - Test-MtEidscaCP04 | Should -Be 'true' - } + It "EIDSCA.CP04: Default Settings - Consent Policy Settings - Users can request admin consent to apps they are unable to consent to. See https://maester.dev/docs/tests/EIDSCA.CP04" { + <# + Check if "https://graph.microsoft.com/beta/settings" + .values | where-object name -eq 'EnableAdminConsentRequests' | select-object -expand value = 'true' + #> + Test-MtEidscaCP04 | Should -Be 'true' + } } Describe "Default Settings - Password Rule Settings" -Tag "EIDSCA", "Security", "All", "EIDSCA.PR01" { - It "EIDSCA.PR01: Default Settings - Password Rule Settings - Password Protection - Mode. See https://maester.dev/docs/tests/EIDSCA.PR01" { - <# - Check if "https://graph.microsoft.com/beta/settings" - .values | where-object name -eq 'BannedPasswordCheckOnPremisesMode' | select-object -expand value = 'Enforce' - #> - Test-MtEidscaPR01 | Should -Be 'Enforce' - } + It "EIDSCA.PR01: Default Settings - Password Rule Settings - Password Protection - Mode. See https://maester.dev/docs/tests/EIDSCA.PR01" { + <# + Check if "https://graph.microsoft.com/beta/settings" + .values | where-object name -eq 'BannedPasswordCheckOnPremisesMode' | select-object -expand value = 'Enforce' + #> + Test-MtEidscaPR01 | Should -Be 'Enforce' + } } Describe "Default Settings - Password Rule Settings" -Tag "EIDSCA", "Security", "All", "EIDSCA.PR02" { - It "EIDSCA.PR02: Default Settings - Password Rule Settings - Password Protection - Enable password protection on Windows Server Active Directory. See https://maester.dev/docs/tests/EIDSCA.PR02" { - <# - Check if "https://graph.microsoft.com/beta/settings" - .values | where-object name -eq 'EnableBannedPasswordCheckOnPremises' | select-object -expand value = 'True' - #> - Test-MtEidscaPR02 | Should -Be 'True' - } + It "EIDSCA.PR02: Default Settings - Password Rule Settings - Password Protection - Enable password protection on Windows Server Active Directory. See https://maester.dev/docs/tests/EIDSCA.PR02" { + <# + Check if "https://graph.microsoft.com/beta/settings" + .values | where-object name -eq 'EnableBannedPasswordCheckOnPremises' | select-object -expand value = 'True' + #> + Test-MtEidscaPR02 | Should -Be 'True' + } } Describe "Default Settings - Password Rule Settings" -Tag "EIDSCA", "Security", "All", "EIDSCA.PR03" { - It "EIDSCA.PR03: Default Settings - Password Rule Settings - Enforce custom list. See https://maester.dev/docs/tests/EIDSCA.PR03" { - <# - Check if "https://graph.microsoft.com/beta/settings" - .values | where-object name -eq 'EnableBannedPasswordCheck' | select-object -expand value = 'True' - #> - Test-MtEidscaPR03 | Should -Be 'True' - } + It "EIDSCA.PR03: Default Settings - Password Rule Settings - Enforce custom list. See https://maester.dev/docs/tests/EIDSCA.PR03" { + <# + Check if "https://graph.microsoft.com/beta/settings" + .values | where-object name -eq 'EnableBannedPasswordCheck' | select-object -expand value = 'True' + #> + Test-MtEidscaPR03 | Should -Be 'True' + } } Describe "Default Settings - Password Rule Settings" -Tag "EIDSCA", "Security", "All", "EIDSCA.PR05" { - It "EIDSCA.PR05: Default Settings - Password Rule Settings - Smart Lockout - Lockout duration in seconds. See https://maester.dev/docs/tests/EIDSCA.PR05" { - <# - Check if "https://graph.microsoft.com/beta/settings" - .values | where-object name -eq 'LockoutDurationInSeconds' | select-object -expand value = '60' - #> - Test-MtEidscaPR05 | Should -Be '60' - } + It "EIDSCA.PR05: Default Settings - Password Rule Settings - Smart Lockout - Lockout duration in seconds. See https://maester.dev/docs/tests/EIDSCA.PR05" { + <# + Check if "https://graph.microsoft.com/beta/settings" + .values | where-object name -eq 'LockoutDurationInSeconds' | select-object -expand value = '60' + #> + Test-MtEidscaPR05 | Should -Be '60' + } } Describe "Default Settings - Password Rule Settings" -Tag "EIDSCA", "Security", "All", "EIDSCA.PR06" { - It "EIDSCA.PR06: Default Settings - Password Rule Settings - Smart Lockout - Lockout threshold. See https://maester.dev/docs/tests/EIDSCA.PR06" { - <# - Check if "https://graph.microsoft.com/beta/settings" - .values | where-object name -eq 'LockoutThreshold' | select-object -expand value = '10' - #> - Test-MtEidscaPR06 | Should -Be '10' - } + It "EIDSCA.PR06: Default Settings - Password Rule Settings - Smart Lockout - Lockout threshold. See https://maester.dev/docs/tests/EIDSCA.PR06" { + <# + Check if "https://graph.microsoft.com/beta/settings" + .values | where-object name -eq 'LockoutThreshold' | select-object -expand value = '10' + #> + Test-MtEidscaPR06 | Should -Be '10' + } } Describe "Default Settings - Classification and M365 Groups" -Tag "EIDSCA", "Security", "All", "EIDSCA.ST08" { - It "EIDSCA.ST08: Default Settings - Classification and M365 Groups - M365 groups - Allow Guests to become Group Owner. See https://maester.dev/docs/tests/EIDSCA.ST08" { - <# - Check if "https://graph.microsoft.com/beta/settings" - .values | where-object name -eq 'AllowGuestsToBeGroupOwner' | select-object -expand value = 'false' - #> - Test-MtEidscaST08 | Should -Be 'false' - } + It "EIDSCA.ST08: Default Settings - Classification and M365 Groups - M365 groups - Allow Guests to become Group Owner. See https://maester.dev/docs/tests/EIDSCA.ST08" { + <# + Check if "https://graph.microsoft.com/beta/settings" + .values | where-object name -eq 'AllowGuestsToBeGroupOwner' | select-object -expand value = 'false' + #> + Test-MtEidscaST08 | Should -Be 'false' + } } Describe "Default Settings - Classification and M365 Groups" -Tag "EIDSCA", "Security", "All", "EIDSCA.ST09" { - It "EIDSCA.ST09: Default Settings - Classification and M365 Groups - M365 groups - Allow Guests to have access to groups content. See https://maester.dev/docs/tests/EIDSCA.ST09" { - <# - Check if "https://graph.microsoft.com/beta/settings" - .values | where-object name -eq 'AllowGuestsToAccessGroups' | select-object -expand value = 'True' - #> - Test-MtEidscaST09 | Should -Be 'True' - } + It "EIDSCA.ST09: Default Settings - Classification and M365 Groups - M365 groups - Allow Guests to have access to groups content. See https://maester.dev/docs/tests/EIDSCA.ST09" { + <# + Check if "https://graph.microsoft.com/beta/settings" + .values | where-object name -eq 'AllowGuestsToAccessGroups' | select-object -expand value = 'True' + #> + Test-MtEidscaST09 | Should -Be 'True' + } } Describe "Authentication Method - General Settings" -Tag "EIDSCA", "Security", "All", "EIDSCA.AG01" { - It "EIDSCA.AG01: Authentication Method - General Settings - Manage migration. See https://maester.dev/docs/tests/EIDSCA.AG01" { - <# - Check if "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy" - .policyMigrationState = 'migrationComplete' - #> - Test-MtEidscaAG01 | Should -Be 'migrationComplete' - } + It "EIDSCA.AG01: Authentication Method - General Settings - Manage migration. See https://maester.dev/docs/tests/EIDSCA.AG01" { + <# + Check if "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy" + .policyMigrationState = 'migrationComplete' + #> + Test-MtEidscaAG01 | Should -Be 'migrationComplete' + } } Describe "Authentication Method - General Settings" -Tag "EIDSCA", "Security", "All", "EIDSCA.AG02" { - It "EIDSCA.AG02: Authentication Method - General Settings - Report suspicious activity - State. See https://maester.dev/docs/tests/EIDSCA.AG02" { - <# - Check if "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy" - .reportSuspiciousActivitySettings.state = 'enabled' - #> - Test-MtEidscaAG02 | Should -Be 'enabled' - } + It "EIDSCA.AG02: Authentication Method - General Settings - Report suspicious activity - State. See https://maester.dev/docs/tests/EIDSCA.AG02" { + <# + Check if "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy" + .reportSuspiciousActivitySettings.state = 'enabled' + #> + Test-MtEidscaAG02 | Should -Be 'enabled' + } } Describe "Authentication Method - General Settings" -Tag "EIDSCA", "Security", "All", "EIDSCA.AG03" { - It "EIDSCA.AG03: Authentication Method - General Settings - Report suspicious activity - Included users/groups. See https://maester.dev/docs/tests/EIDSCA.AG03" { - <# - Check if "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy" - .reportSuspiciousActivitySettings.includeTarget.id = 'all_users' - #> - Test-MtEidscaAG03 | Should -Be 'all_users' - } + It "EIDSCA.AG03: Authentication Method - General Settings - Report suspicious activity - Included users/groups. See https://maester.dev/docs/tests/EIDSCA.AG03" { + <# + Check if "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy" + .reportSuspiciousActivitySettings.includeTarget.id = 'all_users' + #> + Test-MtEidscaAG03 | Should -Be 'all_users' + } } Describe "Authentication Method - Microsoft Authenticator" -Tag "EIDSCA", "Security", "All", "EIDSCA.AM01" { - It "EIDSCA.AM01: Authentication Method - Microsoft Authenticator - State. See https://maester.dev/docs/tests/EIDSCA.AM01" { - <# - Check if "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')" - .state = 'enabled' - #> - Test-MtEidscaAM01 | Should -Be 'enabled' - } -} -Describe "Authentication Method - Microsoft Authenticator" -Tag "EIDSCA", "Security", "All", "EIDSCA.AM02" { - It "EIDSCA.AM02: Authentication Method - Microsoft Authenticator - Allow use of Microsoft Authenticator OTP. See https://maester.dev/docs/tests/EIDSCA.AM02" { - <# - Check if "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')" - .state = 'enabled' - #> - Test-MtEidscaAM02 | Should -Be 'enabled' - } -} -Describe "Authentication Method - Microsoft Authenticator" -Tag "EIDSCA", "Security", "All", "EIDSCA.AM03" { - It "EIDSCA.AM03: Authentication Method - Microsoft Authenticator - Require number matching for push notifications. See https://maester.dev/docs/tests/EIDSCA.AM03" { - <# - Check if "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')" - .featureSettings.numberMatchingRequiredState.state = 'enabled' - #> - Test-MtEidscaAM03 | Should -Be 'enabled' - } -} -Describe "Authentication Method - Microsoft Authenticator" -Tag "EIDSCA", "Security", "All", "EIDSCA.AM04" { - It "EIDSCA.AM04: Authentication Method - Microsoft Authenticator - Included users/groups of number matching for push notifications. See https://maester.dev/docs/tests/EIDSCA.AM04" { - <# - Check if "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')" - .featureSettings.numberMatchingRequiredState.includeTarget.id = 'all_users' - #> - Test-MtEidscaAM04 | Should -Be 'all_users' - } -} -Describe "Authentication Method - Microsoft Authenticator" -Tag "EIDSCA", "Security", "All", "EIDSCA.AM06" { - It "EIDSCA.AM06: Authentication Method - Microsoft Authenticator - Show application name in push and passwordless notifications. See https://maester.dev/docs/tests/EIDSCA.AM06" { - <# - Check if "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')" - .featureSettings.displayAppInformationRequiredState.state = 'enabled' - #> - Test-MtEidscaAM06 | Should -Be 'enabled' - } -} -Describe "Authentication Method - Microsoft Authenticator" -Tag "EIDSCA", "Security", "All", "EIDSCA.AM07" { - It "EIDSCA.AM07: Authentication Method - Microsoft Authenticator - Included users/groups to show application name in push and passwordless notifications. See https://maester.dev/docs/tests/EIDSCA.AM07" { - <# - Check if "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')" - .featureSettings.displayAppInformationRequiredState.includeTarget.id = 'all_users' - #> - Test-MtEidscaAM07 | Should -Be 'all_users' - } -} -Describe "Authentication Method - Microsoft Authenticator" -Tag "EIDSCA", "Security", "All", "EIDSCA.AM09" { - It "EIDSCA.AM09: Authentication Method - Microsoft Authenticator - Show geographic location in push and passwordless notifications. See https://maester.dev/docs/tests/EIDSCA.AM09" { - <# - Check if "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')" - .featureSettings.displayLocationInformationRequiredState.state = 'enabled' - #> - Test-MtEidscaAM09 | Should -Be 'enabled' - } -} -Describe "Authentication Method - Microsoft Authenticator" -Tag "EIDSCA", "Security", "All", "EIDSCA.AM10" { - It "EIDSCA.AM10: Authentication Method - Microsoft Authenticator - Included users/groups to show geographic location in push and passwordless notifications. See https://maester.dev/docs/tests/EIDSCA.AM10" { - <# - Check if "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')" - .featureSettings.displayLocationInformationRequiredState.includeTarget.id = 'all_users' - #> - Test-MtEidscaAM10 | Should -Be 'all_users' - } + It "EIDSCA.AM01: Authentication Method - Microsoft Authenticator - State. See https://maester.dev/docs/tests/EIDSCA.AM01" { + <# + Check if "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')" + .state = 'enabled' + #> + Test-MtEidscaAM01 | Should -Be 'enabled' + } +} +Describe "Authentication Method - Microsoft Authenticator" -Tag "EIDSCA", "Security", "All", "EIDSCA.AM02" -Skip:( $EnabledAuthMethods -notcontains 'MicrosoftAuthenticator' ) { + It "EIDSCA.AM02: Authentication Method - Microsoft Authenticator - Allow use of Microsoft Authenticator OTP. See https://maester.dev/docs/tests/EIDSCA.AM02" { + <# + Check if "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')" + .state = 'enabled' + #> + Test-MtEidscaAM02 | Should -Be 'enabled' + } +} +Describe "Authentication Method - Microsoft Authenticator" -Tag "EIDSCA", "Security", "All", "EIDSCA.AM03" -Skip:( $EnabledAuthMethods -notcontains 'MicrosoftAuthenticator' ) { + It "EIDSCA.AM03: Authentication Method - Microsoft Authenticator - Require number matching for push notifications. See https://maester.dev/docs/tests/EIDSCA.AM03" { + <# + Check if "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')" + .featureSettings.numberMatchingRequiredState.state = 'enabled' + #> + Test-MtEidscaAM03 | Should -Be 'enabled' + } +} +Describe "Authentication Method - Microsoft Authenticator" -Tag "EIDSCA", "Security", "All", "EIDSCA.AM04" -Skip:( $EnabledAuthMethods -notcontains 'MicrosoftAuthenticator' ) { + It "EIDSCA.AM04: Authentication Method - Microsoft Authenticator - Included users/groups of number matching for push notifications. See https://maester.dev/docs/tests/EIDSCA.AM04" { + <# + Check if "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')" + .featureSettings.numberMatchingRequiredState.includeTarget.id = 'all_users' + #> + Test-MtEidscaAM04 | Should -Be 'all_users' + } +} +Describe "Authentication Method - Microsoft Authenticator" -Tag "EIDSCA", "Security", "All", "EIDSCA.AM06" -Skip:( $EnabledAuthMethods -notcontains 'MicrosoftAuthenticator' ) { + It "EIDSCA.AM06: Authentication Method - Microsoft Authenticator - Show application name in push and passwordless notifications. See https://maester.dev/docs/tests/EIDSCA.AM06" { + <# + Check if "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')" + .featureSettings.displayAppInformationRequiredState.state = 'enabled' + #> + Test-MtEidscaAM06 | Should -Be 'enabled' + } +} +Describe "Authentication Method - Microsoft Authenticator" -Tag "EIDSCA", "Security", "All", "EIDSCA.AM07" -Skip:( $EnabledAuthMethods -notcontains 'MicrosoftAuthenticator' ) { + It "EIDSCA.AM07: Authentication Method - Microsoft Authenticator - Included users/groups to show application name in push and passwordless notifications. See https://maester.dev/docs/tests/EIDSCA.AM07" { + <# + Check if "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')" + .featureSettings.displayAppInformationRequiredState.includeTarget.id = 'all_users' + #> + Test-MtEidscaAM07 | Should -Be 'all_users' + } +} +Describe "Authentication Method - Microsoft Authenticator" -Tag "EIDSCA", "Security", "All", "EIDSCA.AM09" -Skip:( $EnabledAuthMethods -notcontains 'MicrosoftAuthenticator' ) { + It "EIDSCA.AM09: Authentication Method - Microsoft Authenticator - Show geographic location in push and passwordless notifications. See https://maester.dev/docs/tests/EIDSCA.AM09" { + <# + Check if "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')" + .featureSettings.displayLocationInformationRequiredState.state = 'enabled' + #> + Test-MtEidscaAM09 | Should -Be 'enabled' + } +} +Describe "Authentication Method - Microsoft Authenticator" -Tag "EIDSCA", "Security", "All", "EIDSCA.AM10" -Skip:( $EnabledAuthMethods -notcontains 'MicrosoftAuthenticator' ) { + It "EIDSCA.AM10: Authentication Method - Microsoft Authenticator - Included users/groups to show geographic location in push and passwordless notifications. See https://maester.dev/docs/tests/EIDSCA.AM10" { + <# + Check if "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')" + .featureSettings.displayLocationInformationRequiredState.includeTarget.id = 'all_users' + #> + Test-MtEidscaAM10 | Should -Be 'all_users' + } } Describe "Authentication Method - FIDO2 security key" -Tag "EIDSCA", "Security", "All", "EIDSCA.AF01" { - It "EIDSCA.AF01: Authentication Method - FIDO2 security key - State. See https://maester.dev/docs/tests/EIDSCA.AF01" { - <# - Check if "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')" - .state = 'enabled' - #> - Test-MtEidscaAF01 | Should -Be 'enabled' - } -} -Describe "Authentication Method - FIDO2 security key" -Tag "EIDSCA", "Security", "All", "EIDSCA.AF02" { - It "EIDSCA.AF02: Authentication Method - FIDO2 security key - Allow self-service set up. See https://maester.dev/docs/tests/EIDSCA.AF02" { - <# - Check if "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')" - .isSelfServiceRegistrationAllowed = 'true' - #> - Test-MtEidscaAF02 | Should -Be 'true' - } -} -Describe "Authentication Method - FIDO2 security key" -Tag "EIDSCA", "Security", "All", "EIDSCA.AF03" { - It "EIDSCA.AF03: Authentication Method - FIDO2 security key - Enforce attestation. See https://maester.dev/docs/tests/EIDSCA.AF03" { - <# - Check if "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')" - .isAttestationEnforced = 'true' - #> - Test-MtEidscaAF03 | Should -Be 'true' - } -} -Describe "Authentication Method - FIDO2 security key" -Tag "EIDSCA", "Security", "All", "EIDSCA.AF06" { - It "EIDSCA.AF06: Authentication Method - FIDO2 security key - Restrict specific keys. See https://maester.dev/docs/tests/EIDSCA.AF06" { - <# - Check if "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')" - .keyRestrictions.aaGuids -notcontains $null -and ($result.keyRestrictions.enforcementType -eq 'allow' -or $result.keyRestrictions.enforcementType -eq 'block') = 'true' - #> - Test-MtEidscaAF06 | Should -Be 'true' - } + It "EIDSCA.AF01: Authentication Method - FIDO2 security key - State. See https://maester.dev/docs/tests/EIDSCA.AF01" { + <# + Check if "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')" + .state = 'enabled' + #> + Test-MtEidscaAF01 | Should -Be 'enabled' + } +} +Describe "Authentication Method - FIDO2 security key" -Tag "EIDSCA", "Security", "All", "EIDSCA.AF02" -Skip:( $EnabledAuthMethods -notcontains 'Fido2' ) { + It "EIDSCA.AF02: Authentication Method - FIDO2 security key - Allow self-service set up. See https://maester.dev/docs/tests/EIDSCA.AF02" { + <# + Check if "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')" + .isSelfServiceRegistrationAllowed = 'true' + #> + Test-MtEidscaAF02 | Should -Be 'true' + } +} +Describe "Authentication Method - FIDO2 security key" -Tag "EIDSCA", "Security", "All", "EIDSCA.AF03" -Skip:( $EnabledAuthMethods -notcontains 'Fido2' ) { + It "EIDSCA.AF03: Authentication Method - FIDO2 security key - Enforce attestation. See https://maester.dev/docs/tests/EIDSCA.AF03" { + <# + Check if "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')" + .isAttestationEnforced = 'true' + #> + Test-MtEidscaAF03 | Should -Be 'true' + } +} +Describe "Authentication Method - FIDO2 security key" -Tag "EIDSCA", "Security", "All", "EIDSCA.AF04" -Skip:( $EnabledAuthMethods -notcontains 'Fido2' ) { + It "EIDSCA.AF04: Authentication Method - FIDO2 security key - Enforce key restrictions. See https://maester.dev/docs/tests/EIDSCA.AF04" { + <# + Check if "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')" + .keyRestrictions.isEnforced = 'true' + #> + Test-MtEidscaAF04 | Should -Be 'true' + } +} +Describe "Authentication Method - FIDO2 security key" -Tag "EIDSCA", "Security", "All", "EIDSCA.AF05" -Skip:( $EnabledAuthMethods -notcontains 'Fido2' -and (Test-MtEidscaAF04) -eq $false ) { + It "EIDSCA.AF05: Authentication Method - FIDO2 security key - Restricted. See https://maester.dev/docs/tests/EIDSCA.AF05" { + <# + Check if "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')" + .keyRestrictions.aaGuids -notcontains $null = 'true' + #> + Test-MtEidscaAF05 | Should -Be 'true' + } +} +Describe "Authentication Method - FIDO2 security key" -Tag "EIDSCA", "Security", "All", "EIDSCA.AF06" -Skip:( $EnabledAuthMethods -notcontains 'Fido2' -and (Test-MtEidscaAF04) -eq $false ) { + It "EIDSCA.AF06: Authentication Method - FIDO2 security key - Restrict specific keys. See https://maester.dev/docs/tests/EIDSCA.AF06" { + <# + Check if "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')" + .keyRestrictions.aaGuids -notcontains $null -and ($result.keyRestrictions.enforcementType -eq 'allow' -or $result.keyRestrictions.enforcementType -eq 'block') = 'true' + #> + Test-MtEidscaAF06 | Should -Be 'true' + } } Describe "Authentication Method - Temporary Access Pass" -Tag "EIDSCA", "Security", "All", "EIDSCA.AT01" { - It "EIDSCA.AT01: Authentication Method - Temporary Access Pass - State. See https://maester.dev/docs/tests/EIDSCA.AT01" { - <# - Check if "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('TemporaryAccessPass')" - .state = 'enabled' - #> - Test-MtEidscaAT01 | Should -Be 'enabled' - } -} -Describe "Authentication Method - Temporary Access Pass" -Tag "EIDSCA", "Security", "All", "EIDSCA.AT02" { - It "EIDSCA.AT02: Authentication Method - Temporary Access Pass - One-time. See https://maester.dev/docs/tests/EIDSCA.AT02" { - <# - Check if "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('TemporaryAccessPass')" - .isUsableOnce = 'false' - #> - Test-MtEidscaAT02 | Should -Be 'false' - } + It "EIDSCA.AT01: Authentication Method - Temporary Access Pass - State. See https://maester.dev/docs/tests/EIDSCA.AT01" { + <# + Check if "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('TemporaryAccessPass')" + .state = 'enabled' + #> + Test-MtEidscaAT01 | Should -Be 'enabled' + } +} +Describe "Authentication Method - Temporary Access Pass" -Tag "EIDSCA", "Security", "All", "EIDSCA.AT02" -Skip:( $EnabledAuthMethods -notcontains 'TemporaryAccessPass' ) { + It "EIDSCA.AT02: Authentication Method - Temporary Access Pass - One-time. See https://maester.dev/docs/tests/EIDSCA.AT02" { + <# + Check if "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('TemporaryAccessPass')" + .isUsableOnce = 'false' + #> + Test-MtEidscaAT02 | Should -Be 'false' + } } Describe "Authentication Method - Voice call" -Tag "EIDSCA", "Security", "All", "EIDSCA.AV01" { - It "EIDSCA.AV01: Authentication Method - Voice call - State. See https://maester.dev/docs/tests/EIDSCA.AV01" { - <# - Check if "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Voice')" - .state = 'disabled' - #> - Test-MtEidscaAV01 | Should -Be 'disabled' - } + It "EIDSCA.AV01: Authentication Method - Voice call - State. See https://maester.dev/docs/tests/EIDSCA.AV01" { + <# + Check if "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Voice')" + .state = 'disabled' + #> + Test-MtEidscaAV01 | Should -Be 'disabled' + } } Describe "Consent Framework - Admin Consent Request" -Tag "EIDSCA", "Security", "All", "EIDSCA.CR01" { - It "EIDSCA.CR01: Consent Framework - Admin Consent Request - Users can request admin consent to apps they are unable to consent to. See https://maester.dev/docs/tests/EIDSCA.CR01" { - <# - Check if "https://graph.microsoft.com/beta/policies/adminConsentRequestPolicy" - .isEnabled = 'true' - #> - Test-MtEidscaCR01 | Should -Be 'true' - } -} -Describe "Consent Framework - Admin Consent Request" -Tag "EIDSCA", "Security", "All", "EIDSCA.CR02" { - It "EIDSCA.CR02: Consent Framework - Admin Consent Request - Reviewers will receive email notifications for requests. See https://maester.dev/docs/tests/EIDSCA.CR02" { - <# - Check if "https://graph.microsoft.com/beta/policies/adminConsentRequestPolicy" - .notifyReviewers = 'true' - #> - Test-MtEidscaCR02 | Should -Be 'true' - } -} -Describe "Consent Framework - Admin Consent Request" -Tag "EIDSCA", "Security", "All", "EIDSCA.CR03" { - It "EIDSCA.CR03: Consent Framework - Admin Consent Request - Reviewers will receive email notifications when admin consent requests are about to expire. See https://maester.dev/docs/tests/EIDSCA.CR03" { - <# - Check if "https://graph.microsoft.com/beta/policies/adminConsentRequestPolicy" - .notifyReviewers = 'true' - #> - Test-MtEidscaCR03 | Should -Be 'true' - } -} -Describe "Consent Framework - Admin Consent Request" -Tag "EIDSCA", "Security", "All", "EIDSCA.CR04" { - It "EIDSCA.CR04: Consent Framework - Admin Consent Request - Consent request duration (days). See https://maester.dev/docs/tests/EIDSCA.CR04" { - <# - Check if "https://graph.microsoft.com/beta/policies/adminConsentRequestPolicy" - .requestDurationInDays = '30' - #> - Test-MtEidscaCR04 | Should -Be '30' - } + It "EIDSCA.CR01: Consent Framework - Admin Consent Request - Users can request admin consent to apps they are unable to consent to. See https://maester.dev/docs/tests/EIDSCA.CR01" { + <# + Check if "https://graph.microsoft.com/beta/policies/adminConsentRequestPolicy" + .isEnabled = 'true' + #> + Test-MtEidscaCR01 | Should -Be 'true' + } +} +Describe "Consent Framework - Admin Consent Request" -Tag "EIDSCA", "Security", "All", "EIDSCA.CR02" -Skip:( ($EnabledAdminConsentWorkflow) -eq $false ) { + It "EIDSCA.CR02: Consent Framework - Admin Consent Request - Reviewers will receive email notifications for requests. See https://maester.dev/docs/tests/EIDSCA.CR02" { + <# + Check if "https://graph.microsoft.com/beta/policies/adminConsentRequestPolicy" + .notifyReviewers = 'true' + #> + Test-MtEidscaCR02 | Should -Be 'true' + } +} +Describe "Consent Framework - Admin Consent Request" -Tag "EIDSCA", "Security", "All", "EIDSCA.CR03" -Skip:( ($EnabledAdminConsentWorkflow) -eq $false ) { + It "EIDSCA.CR03: Consent Framework - Admin Consent Request - Reviewers will receive email notifications when admin consent requests are about to expire. See https://maester.dev/docs/tests/EIDSCA.CR03" { + <# + Check if "https://graph.microsoft.com/beta/policies/adminConsentRequestPolicy" + .notifyReviewers = 'true' + #> + Test-MtEidscaCR03 | Should -Be 'true' + } +} +Describe "Consent Framework - Admin Consent Request" -Tag "EIDSCA", "Security", "All", "EIDSCA.CR04" -Skip:( ($EnabledAdminConsentWorkflow) -eq $false ) { + It "EIDSCA.CR04: Consent Framework - Admin Consent Request - Consent request duration (days). See https://maester.dev/docs/tests/EIDSCA.CR04" { + <# + Check if "https://graph.microsoft.com/beta/policies/adminConsentRequestPolicy" + .requestDurationInDays = '30' + #> + Test-MtEidscaCR04 | Should -Be '30' + } } diff --git a/website/docs/tests/eidsca/EIDSCA.AF04.md b/website/docs/tests/eidsca/EIDSCA.AF04.md new file mode 100644 index 00000000..2380b497 --- /dev/null +++ b/website/docs/tests/eidsca/EIDSCA.AF04.md @@ -0,0 +1,30 @@ +--- +title: EIDSCA.AF04 - Authentication Method - FIDO2 security key - Enforce key restrictions +slug: /tests/EIDSCA.AF04 +sidebar_class_name: hidden +--- + +# Authentication Method - FIDO2 security key - Enforce key restrictions + +Manages if registration of FIDO2 keys should be restricted. + +| | | +|-|-| +| **Name** | keyRestrictions.isEnforced | +| **Control** | Authentication Method - FIDO2 security key | +| **Description** | Define configuration settings and users or groups that are enabled to use FIDO2 security keys | +| **Severity** | Low | + +## How to fix +| | | +|-|-| +| **Recommendation** | Restrict usage of FIDO2 from unauthorized vendors or platforms | +| **Configuration** | policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2') | +| **Setting** | `keyRestrictions.isEnforced` | +| **Recommended Value** | 'true' | +| **Default Value** | false | +| **Graph API Docs** | [fido2AuthenticationMethodConfiguration resource type - Microsoft Graph v1.0 - Microsoft Learn](https://learn.microsoft.com/en-us/graph/api/resources/fido2authenticationmethodconfiguration) | +| **Graph Explorer** | [Open in Graph Explorer](https://developer.microsoft.com/en-us/graph/graph-explorer?request=policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')&method=GET&version=beta&GraphUrl=https://graph.microsoft.com) | + + + diff --git a/website/docs/tests/eidsca/EIDSCA.AF05.md b/website/docs/tests/eidsca/EIDSCA.AF05.md new file mode 100644 index 00000000..4dd0397f --- /dev/null +++ b/website/docs/tests/eidsca/EIDSCA.AF05.md @@ -0,0 +1,30 @@ +--- +title: EIDSCA.AF05 - Authentication Method - FIDO2 security key - Restricted +slug: /tests/EIDSCA.AF05 +sidebar_class_name: hidden +--- + +# Authentication Method - FIDO2 security key - Restricted + +You can work with your Security key provider to determine the AAGuids of their devices for allowing or blocking usage. + +| | | +|-|-| +| **Name** | keyRestrictions.aaGuids | +| **Control** | Authentication Method - FIDO2 security key | +| **Description** | Define configuration settings and users or groups that are enabled to use FIDO2 security keys | +| **Severity** | Low | + +## How to fix +| | | +|-|-| +| **Recommendation** | | +| **Configuration** | policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2') | +| **Setting** | `keyRestrictions.aaGuids -notcontains $null` | +| **Recommended Value** | 'true' | +| **Default Value** | | +| **Graph API Docs** | [fido2AuthenticationMethodConfiguration resource type - Microsoft Graph v1.0 - Microsoft Learn](https://learn.microsoft.com/en-us/graph/api/resources/fido2authenticationmethodconfiguration) | +| **Graph Explorer** | [Open in Graph Explorer](https://developer.microsoft.com/en-us/graph/graph-explorer?request=policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')&method=GET&version=beta&GraphUrl=https://graph.microsoft.com) | + + + diff --git a/website/docs/tests/eidsca/EIDSCA.AF06.md b/website/docs/tests/eidsca/EIDSCA.AF06.md index d4002ee5..eab210e6 100644 --- a/website/docs/tests/eidsca/EIDSCA.AF06.md +++ b/website/docs/tests/eidsca/EIDSCA.AF06.md @@ -18,7 +18,7 @@ Defines if list of AADGUID will be used to allow or block registration. ## How to fix | | | |-|-| -| **Recommendation** | | +| **Recommendation** | You should use Block or Allow as value to allow- or blocklisting of AAGuids. | | **Configuration** | policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2') | | **Setting** | `keyRestrictions.aaGuids -notcontains $null -and ($result.keyRestrictions.enforcementType -eq 'allow' -or $result.keyRestrictions.enforcementType -eq 'block')` | | **Recommended Value** | 'true' | diff --git a/website/docs/tests/eidsca/EIDSCA.AP08.md b/website/docs/tests/eidsca/EIDSCA.AP08.md index c1943117..908be9f7 100644 --- a/website/docs/tests/eidsca/EIDSCA.AP08.md +++ b/website/docs/tests/eidsca/EIDSCA.AP08.md @@ -20,7 +20,7 @@ Defines if user consent to apps is allowed, and if it is, which app consent poli |-|-| | **Recommendation** | Microsoft recommends to allow to user consent for apps from verified publisher for selected permissions. CISA SCuBA 2.7 defines that all Non-Admin Users SHALL Be Prevented From Providing Consent To Third-Party Applications. | | **Configuration** | policies/authorizationPolicy | -| **Setting** | `permissionGrantPolicyIdsAssignedToDefaultUserRole[2]` | +| **Setting** | `permissionGrantPolicyIdsAssignedToDefaultUserRole | Sort-Object -Descending | select-object -first 1` | | **Recommended Value** | 'ManagePermissionGrantsForSelf.microsoft-user-default-low' | | **Default Value** | ManagePermissionGrantsForSelf.microsoft-user-default-legacy | | **Graph API Docs** | [authorizationPolicy resource type - Microsoft Graph v1.0 - Microsoft Learn](https://learn.microsoft.com/en-us/graph/api/resources/authorizationpolicy) | @@ -39,7 +39,7 @@ mindmap TA0008 - Lateral Movement - Lateral Movement (Mitigation) M1017 - User Training - M1018 - User Account Management + M1018 - User Account Management (Technique) T1566.002 - Phishing: Spearphishing Link T1078 - Valid Accounts @@ -48,5 +48,5 @@ mindmap ``` |Tactic|Technique|Mitigation| |---|---|---| -|[TA0001 - Initial Access - Initial Access](https://attack.mitre.org/tactics/TA0001)
[TA0005 - Defense Evasion - Defense Evasion](https://attack.mitre.org/tactics/TA0005)
[TA0006 - Credential Access - Credential Access](https://attack.mitre.org/tactics/TA0006)
[TA0008 - Lateral Movement - Lateral Movement](https://attack.mitre.org/tactics/TA0008)|[T1566.002 - Phishing: Spearphishing Link](https://attack.mitre.org/techniques/T1566/002)
[T1078 - Valid Accounts](https://attack.mitre.org/techniques/T1078)
[T1550 - Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550)
[T1528 - Steal Application Access Token](https://attack.mitre.org/techniques/T1528)|[M1017 - User Training](https://attack.mitre.org/mitigations/M1017)
[ M1018 - User Account Management](https://attack.mitre.org/mitigations/M1018)| +|[TA0001 - Initial Access - Initial Access](https://attack.mitre.org/tactics/TA0001)
[TA0005 - Defense Evasion - Defense Evasion](https://attack.mitre.org/tactics/TA0005)
[TA0006 - Credential Access - Credential Access](https://attack.mitre.org/tactics/TA0006)
[TA0008 - Lateral Movement - Lateral Movement](https://attack.mitre.org/tactics/TA0008)|[T1566.002 - Phishing: Spearphishing Link](https://attack.mitre.org/techniques/T1566/002)
[T1078 - Valid Accounts](https://attack.mitre.org/techniques/T1078)
[T1550 - Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550)
[T1528 - Steal Application Access Token](https://attack.mitre.org/techniques/T1528)|[M1017 - User Training](https://attack.mitre.org/mitigations/M1017)
[M1018 - User Account Management](https://attack.mitre.org/mitigations/M1018)| diff --git a/website/docs/tests/eidsca/EIDSCA.CP04.md b/website/docs/tests/eidsca/EIDSCA.CP04.md index a003d80f..c63bebce 100644 --- a/website/docs/tests/eidsca/EIDSCA.CP04.md +++ b/website/docs/tests/eidsca/EIDSCA.CP04.md @@ -1,10 +1,10 @@ --- -title: EIDSCA.CP04 - Default Settings - Consent Policy Settings - Users can request admin consent to apps they are unable to consent to??? +title: EIDSCA.CP04 - Default Settings - Consent Policy Settings - Users can request admin consent to apps they are unable to consent to slug: /tests/EIDSCA.CP04 sidebar_class_name: hidden --- -# Default Settings - Consent Policy Settings - Users can request admin consent to apps they are unable to consent to??? +# Default Settings - Consent Policy Settings - Users can request admin consent to apps they are unable to consent to If this option is set to enabled, then users request admin consent to any app that requires access to data they do not have the permission to grant. If this option is set to disabled, then users must contact their admin to request to consent in order to use the apps they need. From 0360a197fa8f6215ae02aef6e35be1da512141d1 Mon Sep 17 00:00:00 2001 From: cloud-architekt Date: Mon, 1 Apr 2024 20:10:37 +0200 Subject: [PATCH 3/3] Remove duplicated entry for Discovery --- build/EIDSCA/Update-EidscaTests.ps1 | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/build/EIDSCA/Update-EidscaTests.ps1 b/build/EIDSCA/Update-EidscaTests.ps1 index 104f0d79..42d0b962 100644 --- a/build/EIDSCA/Update-EidscaTests.ps1 +++ b/build/EIDSCA/Update-EidscaTests.ps1 @@ -355,14 +355,6 @@ Describe "%ControlName%" -Tag "EIDSCA", "Security", "All", "%CheckId%" { [void]$sb.AppendLine($testOutputList) } } -$output = @' -BeforeDiscovery { - $EntraIDPlan = Get-MtLicenseInformation -Product "EntraID" - $EnabledAuthMethods = (Get-MtAuthenticationMethodPolicyConfig -State Enabled).Id - $EnabledAdminConsentWorkflow = (Invoke-MtGraphRequest -RelativeUri 'policies/adminConsentRequestPolicy' -ApiVersion beta).isenabled -} - -'@ $output = @' BeforeDiscovery { @@ -370,9 +362,8 @@ BeforeDiscovery { '@ - +# Replace placeholder with Discovery checks from definition in EIDSCA JSON $output = $output.Replace('',($Discovery | Out-String)) $output += $sb.ToString() - $output | Out-File $TestFilePath -Encoding utf8 \ No newline at end of file