Merge pull request #487 from maester365/tnh-EidscaValueBugFixes

Bug fixes on invalid or wrong EIDSCA value checks

build/eidsca/Update-EidscaTests.ps1

@@ -306,6 +306,12 @@ function UpdateTemplate($template, $control, $controlItem, $docName, $isDoc) {
         }
 
         $output = $template
+
+        # Replace string with int if DefaultValue is a number and expecting an int as configuration value
+        if ($controlItem.DefaultValue -match "^[\d\.]+$") {
+            $output = $output -replace 'string', 'int'
+        }
+
         $output = $output -replace '%DocName%', $docName
         $output = $output -replace '%ControlName%', $control.ControlName
         $output = $output -replace '%Description%', $control.Description
@@ -434,6 +440,7 @@ Describe "%ControlName%" -Tag "EIDSCA", "Security", "All", "%CheckId%" {
         $testOutput = UpdateTemplate -template $testTemplate -control $control -controlItem $controlItem -docName $docName
         $docsOutput = UpdateTemplate -template $docsTemplate -control $control -controlItem $controlItem -docName $docName -isDoc $true
         $psOutput = UpdateTemplate -template $psTemplate -control $control -controlItem $controlItem -docName $docName
+
         $psMarkdownOutput = UpdateTemplate -template $psMarkdownTemplate -control $control -controlItem $controlItem -docName $docName -isDoc $true
 
         if ($testOutput -ne '') {

powershell/internal/eidsca/Test-MtEidscaAM01.ps1

@@ -21,6 +21,7 @@ function Test-MtEidscaAM01 {
     [OutputType([bool])]
     param()
 
+
     $result = Invoke-MtGraphRequest -RelativeUri "policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')" -ApiVersion beta
 
     [string]$tenantValue = $result.state

powershell/internal/eidsca/Test-MtEidscaAM02.md

@@ -1,11 +1,11 @@
 Defines if users can use the OTP code generated by the Authenticator App.
 
-enabled
+true
 
 #### Test script
 ```
 https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')
-.state = 'enabled'
+.isSoftwareOathEnabled = 'true'
 ```
 
 #### Related links

powershell/internal/eidsca/Test-MtEidscaAM02.ps1

@@ -1,19 +1,19 @@
 <#
 .SYNOPSIS
-    Checks if Authentication Method - Microsoft Authenticator - Allow use of Microsoft Authenticator OTP is set to 'enabled'
+    Checks if Authentication Method - Microsoft Authenticator - Allow use of Microsoft Authenticator OTP is set to 'true'
 
 .DESCRIPTION
 
     Defines if users can use the OTP code generated by the Authenticator App.
 
     Queries policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')
     and returns the result of
-     graph/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator').state -eq 'enabled'
+     graph/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator').isSoftwareOathEnabled -eq 'true'
 
 .EXAMPLE
     Test-MtEidscaAM02
 
-    Returns the result of graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator').state -eq 'enabled'
+    Returns the result of graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator').isSoftwareOathEnabled -eq 'true'
 #>
 
 function Test-MtEidscaAM02 {
@@ -27,16 +27,16 @@ function Test-MtEidscaAM02 {
     }
     $result = Invoke-MtGraphRequest -RelativeUri "policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')" -ApiVersion beta
 
-    [string]$tenantValue = $result.state
-    $testResult = $tenantValue -eq 'enabled'
-    $tenantValueNotSet = $null -eq $tenantValue -and 'enabled' -notlike '*$null*'
+    [string]$tenantValue = $result.isSoftwareOathEnabled
+    $testResult = $tenantValue -eq 'true'
+    $tenantValueNotSet = $null -eq $tenantValue -and 'true' -notlike '*$null*'
 
     if($testResult){
-        $testResultMarkdown = "Well done. The configuration in your tenant and recommended value is **'enabled'** for **policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')**"
+        $testResultMarkdown = "Well done. The configuration in your tenant and recommended value is **'true'** for **policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')**"
     } elseif ($tenantValueNotSet) {
-        $testResultMarkdown = "Your tenant is **not configured explicitly**.`n`nThe recommended value is **'enabled'** for **policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')**. It seems that you are using a default value by Microsoft. We recommend to set the setting value explicitly since non set values could change depending on what Microsoft decides the current default should be."
+        $testResultMarkdown = "Your tenant is **not configured explicitly**.`n`nThe recommended value is **'true'** for **policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')**. It seems that you are using a default value by Microsoft. We recommend to set the setting value explicitly since non set values could change depending on what Microsoft decides the current default should be."
     } else {
-        $testResultMarkdown = "Your tenant is configured as **$($tenantValue)**.`n`nThe recommended value is **'enabled'** for **policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')**"
+        $testResultMarkdown = "Your tenant is configured as **$($tenantValue)**.`n`nThe recommended value is **'true'** for **policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')**"
     }
     Add-MtTestResultDetail -Result $testResultMarkdown
 

powershell/internal/eidsca/Test-MtEidscaCR03.md

@@ -5,7 +5,7 @@ Specifies whether reviewers will receive reminder emails
 #### Test script
 ```
 https://graph.microsoft.com/beta/policies/adminConsentRequestPolicy
-.notifyReviewers = 'true'
+.remindersEnabled = 'true'
 ```
 
 #### Related links

powershell/internal/eidsca/Test-MtEidscaCR03.ps1

@@ -8,12 +8,12 @@
 
     Queries policies/adminConsentRequestPolicy
     and returns the result of
-     graph/policies/adminConsentRequestPolicy.notifyReviewers -eq 'true'
+     graph/policies/adminConsentRequestPolicy.remindersEnabled -eq 'true'
 
 .EXAMPLE
     Test-MtEidscaCR03
 
-    Returns the result of graph.microsoft.com/beta/policies/adminConsentRequestPolicy.notifyReviewers -eq 'true'
+    Returns the result of graph.microsoft.com/beta/policies/adminConsentRequestPolicy.remindersEnabled -eq 'true'
 #>
 
 function Test-MtEidscaCR03 {
@@ -27,7 +27,7 @@ function Test-MtEidscaCR03 {
     }
     $result = Invoke-MtGraphRequest -RelativeUri "policies/adminConsentRequestPolicy" -ApiVersion beta
 
-    [string]$tenantValue = $result.notifyReviewers
+    [string]$tenantValue = $result.remindersEnabled
     $testResult = $tenantValue -eq 'true'
     $tenantValueNotSet = $null -eq $tenantValue -and 'true' -notlike '*$null*'
 

powershell/internal/eidsca/Test-MtEidscaPR05.ps1

@@ -1,6 +1,6 @@
 <#
 .SYNOPSIS
-    Checks if Default Settings - Password Rule Settings - Smart Lockout - Lockout duration in seconds is greater or equal to '60'
+    Checks if Default Settings - Password Rule Settings - Smart Lockout - Lockout duration in seconds is set to '60'
 
 .DESCRIPTION
 
@@ -24,8 +24,8 @@ function Test-MtEidscaPR05 {
 
     $result = Invoke-MtGraphRequest -RelativeUri "settings" -ApiVersion beta
 
-    [string]$tenantValue = $result.values | where-object name -eq 'LockoutDurationInSeconds' | select-object -expand value
-    $testResult = [int]$tenantValue -ge [int]'60'
+    [int]$tenantValue = $result.values | where-object name -eq 'LockoutDurationInSeconds' | select-object -expand value
+    $testResult = $tenantValue -ge '60'
     $tenantValueNotSet = $null -eq $tenantValue -and '60' -notlike '*$null*'
 
     if($testResult){

powershell/internal/eidsca/Test-MtEidscaPR06.ps1

@@ -24,7 +24,7 @@ function Test-MtEidscaPR06 {
 
     $result = Invoke-MtGraphRequest -RelativeUri "settings" -ApiVersion beta
 
-    [string]$tenantValue = $result.values | where-object name -eq 'LockoutThreshold' | select-object -expand value
+    [int]$tenantValue = $result.values | where-object name -eq 'LockoutThreshold' | select-object -expand value
     $testResult = $tenantValue -eq '10'
     $tenantValueNotSet = $null -eq $tenantValue -and '10' -notlike '*$null*'
 

tests/EIDSCA/Test-EIDSCA.Generated.Tests.ps1

@@ -219,9 +219,9 @@ Describe "Authentication Method - Microsoft Authenticator" -Tag "EIDSCA", "Secur
     It "EIDSCA.AM02: Authentication Method - Microsoft Authenticator - Allow use of Microsoft Authenticator OTP. See https://maester.dev/docs/tests/EIDSCA.AM02" -TestCases @{ EnabledAuthMethods = $EnabledAuthMethods } {
         <#
             Check if "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')"
-            .state = 'enabled'
+            .isSoftwareOathEnabled = 'true'
         #>
-        Test-MtEidscaControl -CheckId AM02 | Should -Be 'enabled'
+        Test-MtEidscaControl -CheckId AM02 | Should -Be 'true'
     }
 }
 Describe "Authentication Method - Microsoft Authenticator" -Tag "EIDSCA", "Security", "All", "EIDSCA.AM03" {
@@ -395,7 +395,7 @@ Describe "Consent Framework - Admin Consent Request" -Tag "EIDSCA", "Security",
     It "EIDSCA.CR03: Consent Framework - Admin Consent Request - Reviewers will receive email notifications when admin consent requests are about to expire. See https://maester.dev/docs/tests/EIDSCA.CR03" -TestCases @{ EnabledAdminConsentWorkflow = ($EnabledAdminConsentWorkflow) } {
         <#
             Check if "https://graph.microsoft.com/beta/policies/adminConsentRequestPolicy"
-            .notifyReviewers = 'true'
+            .remindersEnabled = 'true'
         #>
         Test-MtEidscaControl -CheckId CR03 | Should -Be 'true'
     }

website/docs/tests/eidsca/EIDSCA.AM02.md

@@ -22,11 +22,11 @@ Defines if users can use the OTP code generated by the Authenticator App.
 ### Details of configuration item
 | | |
 |-|-|
-| **Recommendation** | enabled |
+| **Recommendation** | true |
 | **Configuration** | policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator') |
-| **Setting** | `state` |
-| **Recommended Value** | 'enabled' |
-| **Default Value** | enabled |
+| **Setting** | `isSoftwareOathEnabled` |
+| **Recommended Value** | 'true' |
+| **Default Value** | true |
 | **Graph API Docs** | [microsoftAuthenticatorAuthenticationMethodConfiguration resource type - Microsoft Graph v1.0 - Microsoft Learn](https://learn.microsoft.com/en-us/graph/api/resources/microsoftauthenticatorauthenticationmethodconfiguration) |
 | **Graph Explorer** | [Open in Graph Explorer](https://developer.microsoft.com/en-us/graph/graph-explorer?request=policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')&method=GET&version=beta&GraphUrl=https://graph.microsoft.com) |
 

website/docs/tests/eidsca/EIDSCA.CR03.md

@@ -10,7 +10,7 @@ Specifies whether reviewers will receive reminder emails
 
 | | |
 |-|-|
-| **Name** | notifyReviewers |
+| **Name** | remindersEnabled |
 | **Control** | Consent Framework - Admin Consent Request |
 | **Description** | Represents the policy for enabling or disabling the Azure AD admin consent workflow. The admin consent workflow allows users to request access for apps that they wish to use and that require admin authorization before users can use the apps to access organizational data.  |
 | **Severity** |  |
@@ -24,7 +24,7 @@ Specifies whether reviewers will receive reminder emails
 |-|-|
 | **Recommendation** |  |
 | **Configuration** | policies/adminConsentRequestPolicy |
-| **Setting** | `notifyReviewers` |
+| **Setting** | `remindersEnabled` |
 | **Recommended Value** | 'true' |
 | **Default Value** |  |
 | **Graph API Docs** | [adminConsentRequestPolicy resource type - Microsoft Graph v1.0 - Microsoft Learn](https://learn.microsoft.com/en-us/graph/api/resources/adminconsentrequestpolicy) |