From 83a11fa8873c397d160d6bf74c9080a6c2234f6e Mon Sep 17 00:00:00 2001 From: Thomas Naunheim Date: Wed, 25 Sep 2024 21:02:32 +0200 Subject: [PATCH 1/4] Fixed AM02 and CR03 from EIDSCA config --- powershell/internal/eidsca/Test-MtEidscaAM02.md | 2 +- powershell/internal/eidsca/Test-MtEidscaAM02.ps1 | 6 +++--- powershell/internal/eidsca/Test-MtEidscaCR03.md | 2 +- powershell/internal/eidsca/Test-MtEidscaCR03.ps1 | 6 +++--- tests/EIDSCA/Test-EIDSCA.Generated.Tests.ps1 | 4 ++-- website/docs/tests/eidsca/EIDSCA.AM02.md | 2 +- website/docs/tests/eidsca/EIDSCA.CR03.md | 4 ++-- 7 files changed, 13 insertions(+), 13 deletions(-) diff --git a/powershell/internal/eidsca/Test-MtEidscaAM02.md b/powershell/internal/eidsca/Test-MtEidscaAM02.md index d43f2b61..d4ac6fb3 100644 --- a/powershell/internal/eidsca/Test-MtEidscaAM02.md +++ b/powershell/internal/eidsca/Test-MtEidscaAM02.md @@ -5,7 +5,7 @@ enabled #### Test script ``` https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator') -.state = 'enabled' +.isSoftwareOathEnabled = 'enabled' ``` #### Related links diff --git a/powershell/internal/eidsca/Test-MtEidscaAM02.ps1 b/powershell/internal/eidsca/Test-MtEidscaAM02.ps1 index 5ddbe2f2..e250ccdf 100644 --- a/powershell/internal/eidsca/Test-MtEidscaAM02.ps1 +++ b/powershell/internal/eidsca/Test-MtEidscaAM02.ps1 @@ -8,12 +8,12 @@ Queries policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator') and returns the result of - graph/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator').state -eq 'enabled' + graph/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator').isSoftwareOathEnabled -eq 'enabled' .EXAMPLE Test-MtEidscaAM02 - Returns the result of graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator').state -eq 'enabled' + Returns the result of graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator').isSoftwareOathEnabled -eq 'enabled' #> function Test-MtEidscaAM02 { @@ -27,7 +27,7 @@ function Test-MtEidscaAM02 { } $result = Invoke-MtGraphRequest -RelativeUri "policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')" -ApiVersion beta - [string]$tenantValue = $result.state + [string]$tenantValue = $result.isSoftwareOathEnabled $testResult = $tenantValue -eq 'enabled' $tenantValueNotSet = $null -eq $tenantValue -and 'enabled' -notlike '*$null*' diff --git a/powershell/internal/eidsca/Test-MtEidscaCR03.md b/powershell/internal/eidsca/Test-MtEidscaCR03.md index 69d56065..c608019d 100644 --- a/powershell/internal/eidsca/Test-MtEidscaCR03.md +++ b/powershell/internal/eidsca/Test-MtEidscaCR03.md @@ -5,7 +5,7 @@ Specifies whether reviewers will receive reminder emails #### Test script ``` https://graph.microsoft.com/beta/policies/adminConsentRequestPolicy -.notifyReviewers = 'true' +.remindersEnabled = 'true' ``` #### Related links diff --git a/powershell/internal/eidsca/Test-MtEidscaCR03.ps1 b/powershell/internal/eidsca/Test-MtEidscaCR03.ps1 index 0f2476a4..c41087de 100644 --- a/powershell/internal/eidsca/Test-MtEidscaCR03.ps1 +++ b/powershell/internal/eidsca/Test-MtEidscaCR03.ps1 @@ -8,12 +8,12 @@ Queries policies/adminConsentRequestPolicy and returns the result of - graph/policies/adminConsentRequestPolicy.notifyReviewers -eq 'true' + graph/policies/adminConsentRequestPolicy.remindersEnabled -eq 'true' .EXAMPLE Test-MtEidscaCR03 - Returns the result of graph.microsoft.com/beta/policies/adminConsentRequestPolicy.notifyReviewers -eq 'true' + Returns the result of graph.microsoft.com/beta/policies/adminConsentRequestPolicy.remindersEnabled -eq 'true' #> function Test-MtEidscaCR03 { @@ -27,7 +27,7 @@ function Test-MtEidscaCR03 { } $result = Invoke-MtGraphRequest -RelativeUri "policies/adminConsentRequestPolicy" -ApiVersion beta - [string]$tenantValue = $result.notifyReviewers + [string]$tenantValue = $result.remindersEnabled $testResult = $tenantValue -eq 'true' $tenantValueNotSet = $null -eq $tenantValue -and 'true' -notlike '*$null*' diff --git a/tests/EIDSCA/Test-EIDSCA.Generated.Tests.ps1 b/tests/EIDSCA/Test-EIDSCA.Generated.Tests.ps1 index c271e7be..89e59c6a 100644 --- a/tests/EIDSCA/Test-EIDSCA.Generated.Tests.ps1 +++ b/tests/EIDSCA/Test-EIDSCA.Generated.Tests.ps1 @@ -219,7 +219,7 @@ Describe "Authentication Method - Microsoft Authenticator" -Tag "EIDSCA", "Secur It "EIDSCA.AM02: Authentication Method - Microsoft Authenticator - Allow use of Microsoft Authenticator OTP. See https://maester.dev/docs/tests/EIDSCA.AM02" -TestCases @{ EnabledAuthMethods = $EnabledAuthMethods } { <# Check if "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')" - .state = 'enabled' + .isSoftwareOathEnabled = 'enabled' #> Test-MtEidscaControl -CheckId AM02 | Should -Be 'enabled' } @@ -395,7 +395,7 @@ Describe "Consent Framework - Admin Consent Request" -Tag "EIDSCA", "Security", It "EIDSCA.CR03: Consent Framework - Admin Consent Request - Reviewers will receive email notifications when admin consent requests are about to expire. See https://maester.dev/docs/tests/EIDSCA.CR03" -TestCases @{ EnabledAdminConsentWorkflow = ($EnabledAdminConsentWorkflow) } { <# Check if "https://graph.microsoft.com/beta/policies/adminConsentRequestPolicy" - .notifyReviewers = 'true' + .remindersEnabled = 'true' #> Test-MtEidscaControl -CheckId CR03 | Should -Be 'true' } diff --git a/website/docs/tests/eidsca/EIDSCA.AM02.md b/website/docs/tests/eidsca/EIDSCA.AM02.md index ab745cd2..3699165c 100644 --- a/website/docs/tests/eidsca/EIDSCA.AM02.md +++ b/website/docs/tests/eidsca/EIDSCA.AM02.md @@ -24,7 +24,7 @@ Defines if users can use the OTP code generated by the Authenticator App. |-|-| | **Recommendation** | enabled | | **Configuration** | policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator') | -| **Setting** | `state` | +| **Setting** | `isSoftwareOathEnabled` | | **Recommended Value** | 'enabled' | | **Default Value** | enabled | | **Graph API Docs** | [microsoftAuthenticatorAuthenticationMethodConfiguration resource type - Microsoft Graph v1.0 - Microsoft Learn](https://learn.microsoft.com/en-us/graph/api/resources/microsoftauthenticatorauthenticationmethodconfiguration) | diff --git a/website/docs/tests/eidsca/EIDSCA.CR03.md b/website/docs/tests/eidsca/EIDSCA.CR03.md index e71a965e..b9997ac2 100644 --- a/website/docs/tests/eidsca/EIDSCA.CR03.md +++ b/website/docs/tests/eidsca/EIDSCA.CR03.md @@ -10,7 +10,7 @@ Specifies whether reviewers will receive reminder emails | | | |-|-| -| **Name** | notifyReviewers | +| **Name** | remindersEnabled | | **Control** | Consent Framework - Admin Consent Request | | **Description** | Represents the policy for enabling or disabling the Azure AD admin consent workflow. The admin consent workflow allows users to request access for apps that they wish to use and that require admin authorization before users can use the apps to access organizational data. | | **Severity** | | @@ -24,7 +24,7 @@ Specifies whether reviewers will receive reminder emails |-|-| | **Recommendation** | | | **Configuration** | policies/adminConsentRequestPolicy | -| **Setting** | `notifyReviewers` | +| **Setting** | `remindersEnabled` | | **Recommended Value** | 'true' | | **Default Value** | | | **Graph API Docs** | [adminConsentRequestPolicy resource type - Microsoft Graph v1.0 - Microsoft Learn](https://learn.microsoft.com/en-us/graph/api/resources/adminconsentrequestpolicy) | From fe58909fa7a074d9197138777c401bd51130044c Mon Sep 17 00:00:00 2001 From: Thomas Naunheim Date: Sat, 28 Sep 2024 13:29:17 +0200 Subject: [PATCH 2/4] First draft of bug fixes --- build/eidsca/Update-EidscaTests.ps1 | 8 ++++++++ .../internal/eidsca/Test-MtEidscaAM01.ps1 | 1 + .../internal/eidsca/Test-MtEidscaPR05.md | 2 +- .../internal/eidsca/Test-MtEidscaPR05.ps1 | 18 +++++++++--------- .../internal/eidsca/Test-MtEidscaPR06.md | 2 +- .../internal/eidsca/Test-MtEidscaPR06.ps1 | 18 +++++++++--------- tests/EIDSCA/Test-EIDSCA.Generated.Tests.ps1 | 8 ++++---- 7 files changed, 33 insertions(+), 24 deletions(-) diff --git a/build/eidsca/Update-EidscaTests.ps1 b/build/eidsca/Update-EidscaTests.ps1 index a3493580..c2a22520 100644 --- a/build/eidsca/Update-EidscaTests.ps1 +++ b/build/eidsca/Update-EidscaTests.ps1 @@ -306,6 +306,13 @@ function UpdateTemplate($template, $control, $controlItem, $docName, $isDoc) { } $output = $template + + # Replace string with int if DefaultValue is a number and expecting an int as configuration value + if ($controlItem.DefaultValue -match "^[\d\.]+$") { + $output = $output -replace 'string', 'int' + $output = $output -replace '%RecommendedValue%' , '[int]%RecommendedValue%' + } + $output = $output -replace '%DocName%', $docName $output = $output -replace '%ControlName%', $control.ControlName $output = $output -replace '%Description%', $control.Description @@ -434,6 +441,7 @@ Describe "%ControlName%" -Tag "EIDSCA", "Security", "All", "%CheckId%" { $testOutput = UpdateTemplate -template $testTemplate -control $control -controlItem $controlItem -docName $docName $docsOutput = UpdateTemplate -template $docsTemplate -control $control -controlItem $controlItem -docName $docName -isDoc $true $psOutput = UpdateTemplate -template $psTemplate -control $control -controlItem $controlItem -docName $docName + $psMarkdownOutput = UpdateTemplate -template $psMarkdownTemplate -control $control -controlItem $controlItem -docName $docName -isDoc $true if ($testOutput -ne '') { diff --git a/powershell/internal/eidsca/Test-MtEidscaAM01.ps1 b/powershell/internal/eidsca/Test-MtEidscaAM01.ps1 index 5a62d126..e430e915 100644 --- a/powershell/internal/eidsca/Test-MtEidscaAM01.ps1 +++ b/powershell/internal/eidsca/Test-MtEidscaAM01.ps1 @@ -21,6 +21,7 @@ function Test-MtEidscaAM01 { [OutputType([bool])] param() + $result = Invoke-MtGraphRequest -RelativeUri "policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')" -ApiVersion beta [string]$tenantValue = $result.state diff --git a/powershell/internal/eidsca/Test-MtEidscaPR05.md b/powershell/internal/eidsca/Test-MtEidscaPR05.md index 724246d4..8af4dc6e 100644 --- a/powershell/internal/eidsca/Test-MtEidscaPR05.md +++ b/powershell/internal/eidsca/Test-MtEidscaPR05.md @@ -5,7 +5,7 @@ The minimum length in seconds of each lockout. If an account locks repeatedly, t #### Test script ``` https://graph.microsoft.com/beta/settings -.values | where-object name -eq 'LockoutDurationInSeconds' | select-object -expand value >= '60' +.values | where-object name -eq 'LockoutDurationInSeconds' | select-object -expand value >= [int]'60' ``` #### Related links diff --git a/powershell/internal/eidsca/Test-MtEidscaPR05.ps1 b/powershell/internal/eidsca/Test-MtEidscaPR05.ps1 index d5b7c365..2cb0a0f7 100644 --- a/powershell/internal/eidsca/Test-MtEidscaPR05.ps1 +++ b/powershell/internal/eidsca/Test-MtEidscaPR05.ps1 @@ -1,6 +1,6 @@ <# .SYNOPSIS - Checks if Default Settings - Password Rule Settings - Smart Lockout - Lockout duration in seconds is greater or equal to '60' + Checks if Default Settings - Password Rule Settings - Smart Lockout - Lockout duration in seconds is set to [int]'60' .DESCRIPTION @@ -8,12 +8,12 @@ Queries settings and returns the result of - graph/settings.values | where-object name -eq 'LockoutDurationInSeconds' | select-object -expand value -ge '60' + graph/settings.values | where-object name -eq 'LockoutDurationInSeconds' | select-object -expand value -ge [int]'60' .EXAMPLE Test-MtEidscaPR05 - Returns the result of graph.microsoft.com/beta/settings.values | where-object name -eq 'LockoutDurationInSeconds' | select-object -expand value -ge '60' + Returns the result of graph.microsoft.com/beta/settings.values | where-object name -eq 'LockoutDurationInSeconds' | select-object -expand value -ge [int]'60' #> function Test-MtEidscaPR05 { @@ -24,16 +24,16 @@ function Test-MtEidscaPR05 { $result = Invoke-MtGraphRequest -RelativeUri "settings" -ApiVersion beta - [string]$tenantValue = $result.values | where-object name -eq 'LockoutDurationInSeconds' | select-object -expand value - $testResult = [int]$tenantValue -ge [int]'60' - $tenantValueNotSet = $null -eq $tenantValue -and '60' -notlike '*$null*' + [int]$tenantValue = $result.values | where-object name -eq 'LockoutDurationInSeconds' | select-object -expand value + $testResult = $tenantValue -ge [int]'60' + $tenantValueNotSet = $null -eq $tenantValue -and [int]'60' -notlike '*$null*' if($testResult){ - $testResultMarkdown = "Well done. The configuration in your tenant and recommended value is greater than or equal to **'60'** for **settings**" + $testResultMarkdown = "Well done. The configuration in your tenant and recommended value is greater than or equal to **[int]'60'** for **settings**" } elseif ($tenantValueNotSet) { - $testResultMarkdown = "Your tenant is **not configured explicitly**.`n`nThe recommended value is **'60'** for **settings**. It seems that you are using a default value by Microsoft. We recommend to set the setting value explicitly since non set values could change depending on what Microsoft decides the current default should be." + $testResultMarkdown = "Your tenant is **not configured explicitly**.`n`nThe recommended value is **[int]'60'** for **settings**. It seems that you are using a default value by Microsoft. We recommend to set the setting value explicitly since non set values could change depending on what Microsoft decides the current default should be." } else { - $testResultMarkdown = "Your tenant is configured as **$($tenantValue)**.`n`nThe recommended value is greater than or equal to **'60'** for **settings**" + $testResultMarkdown = "Your tenant is configured as **$($tenantValue)**.`n`nThe recommended value is greater than or equal to **[int]'60'** for **settings**" } Add-MtTestResultDetail -Result $testResultMarkdown diff --git a/powershell/internal/eidsca/Test-MtEidscaPR06.md b/powershell/internal/eidsca/Test-MtEidscaPR06.md index 6ac24211..19b62e92 100644 --- a/powershell/internal/eidsca/Test-MtEidscaPR06.md +++ b/powershell/internal/eidsca/Test-MtEidscaPR06.md @@ -5,7 +5,7 @@ How many failed sign-ins are allowed on an account before its first lockout. If #### Test script ``` https://graph.microsoft.com/beta/settings -.values | where-object name -eq 'LockoutThreshold' | select-object -expand value = '10' +.values | where-object name -eq 'LockoutThreshold' | select-object -expand value = [int]'10' ``` #### Related links diff --git a/powershell/internal/eidsca/Test-MtEidscaPR06.ps1 b/powershell/internal/eidsca/Test-MtEidscaPR06.ps1 index 1a01a151..046c7046 100644 --- a/powershell/internal/eidsca/Test-MtEidscaPR06.ps1 +++ b/powershell/internal/eidsca/Test-MtEidscaPR06.ps1 @@ -1,6 +1,6 @@ <# .SYNOPSIS - Checks if Default Settings - Password Rule Settings - Smart Lockout - Lockout threshold is set to '10' + Checks if Default Settings - Password Rule Settings - Smart Lockout - Lockout threshold is set to [int]'10' .DESCRIPTION @@ -8,12 +8,12 @@ Queries settings and returns the result of - graph/settings.values | where-object name -eq 'LockoutThreshold' | select-object -expand value -eq '10' + graph/settings.values | where-object name -eq 'LockoutThreshold' | select-object -expand value -eq [int]'10' .EXAMPLE Test-MtEidscaPR06 - Returns the result of graph.microsoft.com/beta/settings.values | where-object name -eq 'LockoutThreshold' | select-object -expand value -eq '10' + Returns the result of graph.microsoft.com/beta/settings.values | where-object name -eq 'LockoutThreshold' | select-object -expand value -eq [int]'10' #> function Test-MtEidscaPR06 { @@ -24,16 +24,16 @@ function Test-MtEidscaPR06 { $result = Invoke-MtGraphRequest -RelativeUri "settings" -ApiVersion beta - [string]$tenantValue = $result.values | where-object name -eq 'LockoutThreshold' | select-object -expand value - $testResult = $tenantValue -eq '10' - $tenantValueNotSet = $null -eq $tenantValue -and '10' -notlike '*$null*' + [int]$tenantValue = $result.values | where-object name -eq 'LockoutThreshold' | select-object -expand value + $testResult = $tenantValue -eq [int]'10' + $tenantValueNotSet = $null -eq $tenantValue -and [int]'10' -notlike '*$null*' if($testResult){ - $testResultMarkdown = "Well done. The configuration in your tenant and recommended value is **'10'** for **settings**" + $testResultMarkdown = "Well done. The configuration in your tenant and recommended value is **[int]'10'** for **settings**" } elseif ($tenantValueNotSet) { - $testResultMarkdown = "Your tenant is **not configured explicitly**.`n`nThe recommended value is **'10'** for **settings**. It seems that you are using a default value by Microsoft. We recommend to set the setting value explicitly since non set values could change depending on what Microsoft decides the current default should be." + $testResultMarkdown = "Your tenant is **not configured explicitly**.`n`nThe recommended value is **[int]'10'** for **settings**. It seems that you are using a default value by Microsoft. We recommend to set the setting value explicitly since non set values could change depending on what Microsoft decides the current default should be." } else { - $testResultMarkdown = "Your tenant is configured as **$($tenantValue)**.`n`nThe recommended value is **'10'** for **settings**" + $testResultMarkdown = "Your tenant is configured as **$($tenantValue)**.`n`nThe recommended value is **[int]'10'** for **settings**" } Add-MtTestResultDetail -Result $testResultMarkdown diff --git a/tests/EIDSCA/Test-EIDSCA.Generated.Tests.ps1 b/tests/EIDSCA/Test-EIDSCA.Generated.Tests.ps1 index 89e59c6a..9bc389af 100644 --- a/tests/EIDSCA/Test-EIDSCA.Generated.Tests.ps1 +++ b/tests/EIDSCA/Test-EIDSCA.Generated.Tests.ps1 @@ -144,18 +144,18 @@ Describe "Default Settings - Password Rule Settings" -Tag "EIDSCA", "Security", It "EIDSCA.PR05: Default Settings - Password Rule Settings - Smart Lockout - Lockout duration in seconds. See https://maester.dev/docs/tests/EIDSCA.PR05" { <# Check if "https://graph.microsoft.com/beta/settings" - .values | where-object name -eq 'LockoutDurationInSeconds' | select-object -expand value >= '60' + .values | where-object name -eq 'LockoutDurationInSeconds' | select-object -expand value >= [int]'60' #> - Test-MtEidscaControl -CheckId PR05 | Should -BeGreaterOrEqual '60' + Test-MtEidscaControl -CheckId PR05 | Should -BeGreaterOrEqual [int]'60' } } Describe "Default Settings - Password Rule Settings" -Tag "EIDSCA", "Security", "All", "EIDSCA.PR06" { It "EIDSCA.PR06: Default Settings - Password Rule Settings - Smart Lockout - Lockout threshold. See https://maester.dev/docs/tests/EIDSCA.PR06" { <# Check if "https://graph.microsoft.com/beta/settings" - .values | where-object name -eq 'LockoutThreshold' | select-object -expand value = '10' + .values | where-object name -eq 'LockoutThreshold' | select-object -expand value = [int]'10' #> - Test-MtEidscaControl -CheckId PR06 | Should -Be '10' + Test-MtEidscaControl -CheckId PR06 | Should -Be [int]'10' } } From 993108295f4ab076963d2c859e9e398d22835f57 Mon Sep 17 00:00:00 2001 From: Thomas Naunheim <47817884+Cloud-Architekt@users.noreply.github.com> Date: Thu, 3 Oct 2024 20:20:31 +0000 Subject: [PATCH 3/4] Update description on int values of EIDSCA values --- build/eidsca/Update-EidscaTests.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build/eidsca/Update-EidscaTests.ps1 b/build/eidsca/Update-EidscaTests.ps1 index c2a22520..4289ac91 100644 --- a/build/eidsca/Update-EidscaTests.ps1 +++ b/build/eidsca/Update-EidscaTests.ps1 @@ -310,7 +310,7 @@ function UpdateTemplate($template, $control, $controlItem, $docName, $isDoc) { # Replace string with int if DefaultValue is a number and expecting an int as configuration value if ($controlItem.DefaultValue -match "^[\d\.]+$") { $output = $output -replace 'string', 'int' - $output = $output -replace '%RecommendedValue%' , '[int]%RecommendedValue%' + #$output = $output -replace '%RecommendedValue%' , '[int]%RecommendedValue%' } $output = $output -replace '%DocName%', $docName From 543988989ab658039c967dcb1a33ce665e20807e Mon Sep 17 00:00:00 2001 From: Thomas Naunheim Date: Sun, 6 Oct 2024 19:32:31 +0200 Subject: [PATCH 4/4] Updated logic to prevent int value in docs --- build/eidsca/Update-EidscaTests.ps1 | 1 - powershell/internal/eidsca/Test-MtEidscaAM02.md | 4 ++-- powershell/internal/eidsca/Test-MtEidscaAM02.ps1 | 16 ++++++++-------- powershell/internal/eidsca/Test-MtEidscaPR05.md | 2 +- powershell/internal/eidsca/Test-MtEidscaPR05.ps1 | 16 ++++++++-------- powershell/internal/eidsca/Test-MtEidscaPR06.md | 2 +- powershell/internal/eidsca/Test-MtEidscaPR06.ps1 | 16 ++++++++-------- tests/EIDSCA/Test-EIDSCA.Generated.Tests.ps1 | 12 ++++++------ website/docs/tests/eidsca/EIDSCA.AM02.md | 6 +++--- 9 files changed, 37 insertions(+), 38 deletions(-) diff --git a/build/eidsca/Update-EidscaTests.ps1 b/build/eidsca/Update-EidscaTests.ps1 index 4289ac91..24e6bde2 100644 --- a/build/eidsca/Update-EidscaTests.ps1 +++ b/build/eidsca/Update-EidscaTests.ps1 @@ -310,7 +310,6 @@ function UpdateTemplate($template, $control, $controlItem, $docName, $isDoc) { # Replace string with int if DefaultValue is a number and expecting an int as configuration value if ($controlItem.DefaultValue -match "^[\d\.]+$") { $output = $output -replace 'string', 'int' - #$output = $output -replace '%RecommendedValue%' , '[int]%RecommendedValue%' } $output = $output -replace '%DocName%', $docName diff --git a/powershell/internal/eidsca/Test-MtEidscaAM02.md b/powershell/internal/eidsca/Test-MtEidscaAM02.md index d4ac6fb3..6aa86944 100644 --- a/powershell/internal/eidsca/Test-MtEidscaAM02.md +++ b/powershell/internal/eidsca/Test-MtEidscaAM02.md @@ -1,11 +1,11 @@ Defines if users can use the OTP code generated by the Authenticator App. -enabled +true #### Test script ``` https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator') -.isSoftwareOathEnabled = 'enabled' +.isSoftwareOathEnabled = 'true' ``` #### Related links diff --git a/powershell/internal/eidsca/Test-MtEidscaAM02.ps1 b/powershell/internal/eidsca/Test-MtEidscaAM02.ps1 index e250ccdf..3f48f3d2 100644 --- a/powershell/internal/eidsca/Test-MtEidscaAM02.ps1 +++ b/powershell/internal/eidsca/Test-MtEidscaAM02.ps1 @@ -1,6 +1,6 @@ <# .SYNOPSIS - Checks if Authentication Method - Microsoft Authenticator - Allow use of Microsoft Authenticator OTP is set to 'enabled' + Checks if Authentication Method - Microsoft Authenticator - Allow use of Microsoft Authenticator OTP is set to 'true' .DESCRIPTION @@ -8,12 +8,12 @@ Queries policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator') and returns the result of - graph/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator').isSoftwareOathEnabled -eq 'enabled' + graph/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator').isSoftwareOathEnabled -eq 'true' .EXAMPLE Test-MtEidscaAM02 - Returns the result of graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator').isSoftwareOathEnabled -eq 'enabled' + Returns the result of graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator').isSoftwareOathEnabled -eq 'true' #> function Test-MtEidscaAM02 { @@ -28,15 +28,15 @@ function Test-MtEidscaAM02 { $result = Invoke-MtGraphRequest -RelativeUri "policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')" -ApiVersion beta [string]$tenantValue = $result.isSoftwareOathEnabled - $testResult = $tenantValue -eq 'enabled' - $tenantValueNotSet = $null -eq $tenantValue -and 'enabled' -notlike '*$null*' + $testResult = $tenantValue -eq 'true' + $tenantValueNotSet = $null -eq $tenantValue -and 'true' -notlike '*$null*' if($testResult){ - $testResultMarkdown = "Well done. The configuration in your tenant and recommended value is **'enabled'** for **policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')**" + $testResultMarkdown = "Well done. The configuration in your tenant and recommended value is **'true'** for **policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')**" } elseif ($tenantValueNotSet) { - $testResultMarkdown = "Your tenant is **not configured explicitly**.`n`nThe recommended value is **'enabled'** for **policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')**. It seems that you are using a default value by Microsoft. We recommend to set the setting value explicitly since non set values could change depending on what Microsoft decides the current default should be." + $testResultMarkdown = "Your tenant is **not configured explicitly**.`n`nThe recommended value is **'true'** for **policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')**. It seems that you are using a default value by Microsoft. We recommend to set the setting value explicitly since non set values could change depending on what Microsoft decides the current default should be." } else { - $testResultMarkdown = "Your tenant is configured as **$($tenantValue)**.`n`nThe recommended value is **'enabled'** for **policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')**" + $testResultMarkdown = "Your tenant is configured as **$($tenantValue)**.`n`nThe recommended value is **'true'** for **policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')**" } Add-MtTestResultDetail -Result $testResultMarkdown diff --git a/powershell/internal/eidsca/Test-MtEidscaPR05.md b/powershell/internal/eidsca/Test-MtEidscaPR05.md index 8af4dc6e..724246d4 100644 --- a/powershell/internal/eidsca/Test-MtEidscaPR05.md +++ b/powershell/internal/eidsca/Test-MtEidscaPR05.md @@ -5,7 +5,7 @@ The minimum length in seconds of each lockout. If an account locks repeatedly, t #### Test script ``` https://graph.microsoft.com/beta/settings -.values | where-object name -eq 'LockoutDurationInSeconds' | select-object -expand value >= [int]'60' +.values | where-object name -eq 'LockoutDurationInSeconds' | select-object -expand value >= '60' ``` #### Related links diff --git a/powershell/internal/eidsca/Test-MtEidscaPR05.ps1 b/powershell/internal/eidsca/Test-MtEidscaPR05.ps1 index 2cb0a0f7..7a30ac1b 100644 --- a/powershell/internal/eidsca/Test-MtEidscaPR05.ps1 +++ b/powershell/internal/eidsca/Test-MtEidscaPR05.ps1 @@ -1,6 +1,6 @@ <# .SYNOPSIS - Checks if Default Settings - Password Rule Settings - Smart Lockout - Lockout duration in seconds is set to [int]'60' + Checks if Default Settings - Password Rule Settings - Smart Lockout - Lockout duration in seconds is set to '60' .DESCRIPTION @@ -8,12 +8,12 @@ Queries settings and returns the result of - graph/settings.values | where-object name -eq 'LockoutDurationInSeconds' | select-object -expand value -ge [int]'60' + graph/settings.values | where-object name -eq 'LockoutDurationInSeconds' | select-object -expand value -ge '60' .EXAMPLE Test-MtEidscaPR05 - Returns the result of graph.microsoft.com/beta/settings.values | where-object name -eq 'LockoutDurationInSeconds' | select-object -expand value -ge [int]'60' + Returns the result of graph.microsoft.com/beta/settings.values | where-object name -eq 'LockoutDurationInSeconds' | select-object -expand value -ge '60' #> function Test-MtEidscaPR05 { @@ -25,15 +25,15 @@ function Test-MtEidscaPR05 { $result = Invoke-MtGraphRequest -RelativeUri "settings" -ApiVersion beta [int]$tenantValue = $result.values | where-object name -eq 'LockoutDurationInSeconds' | select-object -expand value - $testResult = $tenantValue -ge [int]'60' - $tenantValueNotSet = $null -eq $tenantValue -and [int]'60' -notlike '*$null*' + $testResult = $tenantValue -ge '60' + $tenantValueNotSet = $null -eq $tenantValue -and '60' -notlike '*$null*' if($testResult){ - $testResultMarkdown = "Well done. The configuration in your tenant and recommended value is greater than or equal to **[int]'60'** for **settings**" + $testResultMarkdown = "Well done. The configuration in your tenant and recommended value is greater than or equal to **'60'** for **settings**" } elseif ($tenantValueNotSet) { - $testResultMarkdown = "Your tenant is **not configured explicitly**.`n`nThe recommended value is **[int]'60'** for **settings**. It seems that you are using a default value by Microsoft. We recommend to set the setting value explicitly since non set values could change depending on what Microsoft decides the current default should be." + $testResultMarkdown = "Your tenant is **not configured explicitly**.`n`nThe recommended value is **'60'** for **settings**. It seems that you are using a default value by Microsoft. We recommend to set the setting value explicitly since non set values could change depending on what Microsoft decides the current default should be." } else { - $testResultMarkdown = "Your tenant is configured as **$($tenantValue)**.`n`nThe recommended value is greater than or equal to **[int]'60'** for **settings**" + $testResultMarkdown = "Your tenant is configured as **$($tenantValue)**.`n`nThe recommended value is greater than or equal to **'60'** for **settings**" } Add-MtTestResultDetail -Result $testResultMarkdown diff --git a/powershell/internal/eidsca/Test-MtEidscaPR06.md b/powershell/internal/eidsca/Test-MtEidscaPR06.md index 19b62e92..6ac24211 100644 --- a/powershell/internal/eidsca/Test-MtEidscaPR06.md +++ b/powershell/internal/eidsca/Test-MtEidscaPR06.md @@ -5,7 +5,7 @@ How many failed sign-ins are allowed on an account before its first lockout. If #### Test script ``` https://graph.microsoft.com/beta/settings -.values | where-object name -eq 'LockoutThreshold' | select-object -expand value = [int]'10' +.values | where-object name -eq 'LockoutThreshold' | select-object -expand value = '10' ``` #### Related links diff --git a/powershell/internal/eidsca/Test-MtEidscaPR06.ps1 b/powershell/internal/eidsca/Test-MtEidscaPR06.ps1 index 046c7046..a971db55 100644 --- a/powershell/internal/eidsca/Test-MtEidscaPR06.ps1 +++ b/powershell/internal/eidsca/Test-MtEidscaPR06.ps1 @@ -1,6 +1,6 @@ <# .SYNOPSIS - Checks if Default Settings - Password Rule Settings - Smart Lockout - Lockout threshold is set to [int]'10' + Checks if Default Settings - Password Rule Settings - Smart Lockout - Lockout threshold is set to '10' .DESCRIPTION @@ -8,12 +8,12 @@ Queries settings and returns the result of - graph/settings.values | where-object name -eq 'LockoutThreshold' | select-object -expand value -eq [int]'10' + graph/settings.values | where-object name -eq 'LockoutThreshold' | select-object -expand value -eq '10' .EXAMPLE Test-MtEidscaPR06 - Returns the result of graph.microsoft.com/beta/settings.values | where-object name -eq 'LockoutThreshold' | select-object -expand value -eq [int]'10' + Returns the result of graph.microsoft.com/beta/settings.values | where-object name -eq 'LockoutThreshold' | select-object -expand value -eq '10' #> function Test-MtEidscaPR06 { @@ -25,15 +25,15 @@ function Test-MtEidscaPR06 { $result = Invoke-MtGraphRequest -RelativeUri "settings" -ApiVersion beta [int]$tenantValue = $result.values | where-object name -eq 'LockoutThreshold' | select-object -expand value - $testResult = $tenantValue -eq [int]'10' - $tenantValueNotSet = $null -eq $tenantValue -and [int]'10' -notlike '*$null*' + $testResult = $tenantValue -eq '10' + $tenantValueNotSet = $null -eq $tenantValue -and '10' -notlike '*$null*' if($testResult){ - $testResultMarkdown = "Well done. The configuration in your tenant and recommended value is **[int]'10'** for **settings**" + $testResultMarkdown = "Well done. The configuration in your tenant and recommended value is **'10'** for **settings**" } elseif ($tenantValueNotSet) { - $testResultMarkdown = "Your tenant is **not configured explicitly**.`n`nThe recommended value is **[int]'10'** for **settings**. It seems that you are using a default value by Microsoft. We recommend to set the setting value explicitly since non set values could change depending on what Microsoft decides the current default should be." + $testResultMarkdown = "Your tenant is **not configured explicitly**.`n`nThe recommended value is **'10'** for **settings**. It seems that you are using a default value by Microsoft. We recommend to set the setting value explicitly since non set values could change depending on what Microsoft decides the current default should be." } else { - $testResultMarkdown = "Your tenant is configured as **$($tenantValue)**.`n`nThe recommended value is **[int]'10'** for **settings**" + $testResultMarkdown = "Your tenant is configured as **$($tenantValue)**.`n`nThe recommended value is **'10'** for **settings**" } Add-MtTestResultDetail -Result $testResultMarkdown diff --git a/tests/EIDSCA/Test-EIDSCA.Generated.Tests.ps1 b/tests/EIDSCA/Test-EIDSCA.Generated.Tests.ps1 index 9bc389af..cdfffc91 100644 --- a/tests/EIDSCA/Test-EIDSCA.Generated.Tests.ps1 +++ b/tests/EIDSCA/Test-EIDSCA.Generated.Tests.ps1 @@ -144,18 +144,18 @@ Describe "Default Settings - Password Rule Settings" -Tag "EIDSCA", "Security", It "EIDSCA.PR05: Default Settings - Password Rule Settings - Smart Lockout - Lockout duration in seconds. See https://maester.dev/docs/tests/EIDSCA.PR05" { <# Check if "https://graph.microsoft.com/beta/settings" - .values | where-object name -eq 'LockoutDurationInSeconds' | select-object -expand value >= [int]'60' + .values | where-object name -eq 'LockoutDurationInSeconds' | select-object -expand value >= '60' #> - Test-MtEidscaControl -CheckId PR05 | Should -BeGreaterOrEqual [int]'60' + Test-MtEidscaControl -CheckId PR05 | Should -BeGreaterOrEqual '60' } } Describe "Default Settings - Password Rule Settings" -Tag "EIDSCA", "Security", "All", "EIDSCA.PR06" { It "EIDSCA.PR06: Default Settings - Password Rule Settings - Smart Lockout - Lockout threshold. See https://maester.dev/docs/tests/EIDSCA.PR06" { <# Check if "https://graph.microsoft.com/beta/settings" - .values | where-object name -eq 'LockoutThreshold' | select-object -expand value = [int]'10' + .values | where-object name -eq 'LockoutThreshold' | select-object -expand value = '10' #> - Test-MtEidscaControl -CheckId PR06 | Should -Be [int]'10' + Test-MtEidscaControl -CheckId PR06 | Should -Be '10' } } @@ -219,9 +219,9 @@ Describe "Authentication Method - Microsoft Authenticator" -Tag "EIDSCA", "Secur It "EIDSCA.AM02: Authentication Method - Microsoft Authenticator - Allow use of Microsoft Authenticator OTP. See https://maester.dev/docs/tests/EIDSCA.AM02" -TestCases @{ EnabledAuthMethods = $EnabledAuthMethods } { <# Check if "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')" - .isSoftwareOathEnabled = 'enabled' + .isSoftwareOathEnabled = 'true' #> - Test-MtEidscaControl -CheckId AM02 | Should -Be 'enabled' + Test-MtEidscaControl -CheckId AM02 | Should -Be 'true' } } Describe "Authentication Method - Microsoft Authenticator" -Tag "EIDSCA", "Security", "All", "EIDSCA.AM03" { diff --git a/website/docs/tests/eidsca/EIDSCA.AM02.md b/website/docs/tests/eidsca/EIDSCA.AM02.md index 3699165c..f669c386 100644 --- a/website/docs/tests/eidsca/EIDSCA.AM02.md +++ b/website/docs/tests/eidsca/EIDSCA.AM02.md @@ -22,11 +22,11 @@ Defines if users can use the OTP code generated by the Authenticator App. ### Details of configuration item | | | |-|-| -| **Recommendation** | enabled | +| **Recommendation** | true | | **Configuration** | policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator') | | **Setting** | `isSoftwareOathEnabled` | -| **Recommended Value** | 'enabled' | -| **Default Value** | enabled | +| **Recommended Value** | 'true' | +| **Default Value** | true | | **Graph API Docs** | [microsoftAuthenticatorAuthenticationMethodConfiguration resource type - Microsoft Graph v1.0 - Microsoft Learn](https://learn.microsoft.com/en-us/graph/api/resources/microsoftauthenticatorauthenticationmethodconfiguration) | | **Graph Explorer** | [Open in Graph Explorer](https://developer.microsoft.com/en-us/graph/graph-explorer?request=policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')&method=GET&version=beta&GraphUrl=https://graph.microsoft.com) |