Merge pull request #531 from maester365/tnh-EidscaCR04-Fix

Added support for less equal operator in EIDSCA and improved check CR04

build/eidsca/Update-EidscaTests.ps1

@@ -46,7 +46,7 @@ function GetVersion($graphUri) {
 
 function GetRecommendedValue($RecommendedValue) {
     if($RecommendedValue -notlike "@('*,*')") {
-        $compareOperators = @(">=",">","<")
+        $compareOperators = @(">=","<=",">","<")
         foreach ($compareOperator in $compareOperators) {
             if ($RecommendedValue.StartsWith($compareOperator)) {
                 $RecommendedValue = $RecommendedValue.Replace($compareOperator, "")
@@ -62,6 +62,10 @@ function GetRecommendedValueMarkdown($RecommendedValueMarkdown) {
     if($RecommendedValueMarkdown -like "@('*,*')") {
         $RecommendedValueMarkdown = $RecommendedValueMarkdown -replace "@\(", "" -replace "\)", ""
         return "$RecommendedValueMarkdown"
+    } elseif ($RecommendedValueMarkdown.StartsWith(">") -or $RecommendedValueMarkdown.StartsWith("<")) {
+        $RecommendedValueText = (GetCompareOperator($RecommendedValueMarkdown)).Text
+        $RecommendedValueMarkdown = "$RecommendedValueText $RecommendedValue"
+        return "$RecommendedValueMarkdown"
     } else {
         return "'$RecommendedValueMarkdown'"
     }
@@ -82,6 +86,13 @@ function GetCompareOperator($RecommendedValue) {
             powershell = 'ge'
             text       = 'is greater than or equal to'
         }
+    } elseif ($RecommendedValue.StartsWith("<=")) {
+        $compareOperator = [PSCustomObject]@{
+            name       = '<='
+            pester     = 'BeLessOrEqual'
+            powershell = 'le'
+            text       = 'is less than or equal to'
+        }
     } elseif ($RecommendedValue.StartsWith(">")) {
         $compareOperator = [PSCustomObject]@{
             name       = '>'
@@ -430,7 +441,7 @@ Describe "%ControlName%" -Tag "EIDSCA", "Security", "All", "%CheckId%" {
     It "%CheckId%: %ControlName% - %DisplayName%. See https://maester.dev/docs/tests/%DocName%"%TestCases% {
         <#
             Check if "https://graph.microsoft.com/%ApiVersion%/%RelativeUri%"
-            .%CurrentValue% %CompareOperator% %RecommendedValue%
+            .%CurrentValue% -%PwshCompareOperator% %RecommendedValue%
         #>
         Test-MtEidscaControl -CheckId %CheckShortId% | Should -%ShouldOperator% %RecommendedValue%
     }

powershell/internal/eidsca/@template.md

@@ -5,7 +5,7 @@
 #### Test script
 ```
 https://graph.microsoft.com/%ApiVersion%/%RelativeUri%
-.%CurrentValue% %CompareOperator% %RecommendedValue%
+.%CurrentValue% -%PwshCompareOperator% %RecommendedValue%
 ```
 
 #### Related links

powershell/internal/eidsca/Test-MtEidscaAF01.md

@@ -5,7 +5,7 @@ enabled
 #### Test script
 ```
 https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')
-.state = 'enabled'
+.state -eq 'enabled'
 ```
 
 #### Related links

powershell/internal/eidsca/Test-MtEidscaAF02.md

@@ -5,7 +5,7 @@ Allows users to register a FIDO key through the MySecurityInfo portal, even if e
 #### Test script
 ```
 https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')
-.isSelfServiceRegistrationAllowed = 'true'
+.isSelfServiceRegistrationAllowed -eq 'true'
 ```
 
 #### Related links

powershell/internal/eidsca/Test-MtEidscaAF03.md

@@ -5,7 +5,7 @@ Requires the FIDO security key metadata to be published and verified with the FI
 #### Test script
 ```
 https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')
-.isAttestationEnforced = 'true'
+.isAttestationEnforced -eq 'true'
 ```
 
 #### Related links

powershell/internal/eidsca/Test-MtEidscaAF04.md

@@ -5,7 +5,7 @@ Restrict usage of FIDO2 from unauthorized vendors or platforms
 #### Test script
 ```
 https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')
-.keyRestrictions.isEnforced = 'true'
+.keyRestrictions.isEnforced -eq 'true'
 ```
 
 #### Related links

powershell/internal/eidsca/Test-MtEidscaAF05.md

@@ -5,7 +5,7 @@ You can work with your Security key provider to determine the AAGuids of their d
 #### Test script
 ```
 https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')
-.keyRestrictions.aaGuids -notcontains $null = 'true'
+.keyRestrictions.aaGuids -notcontains $null -eq 'true'
 ```
 
 #### Related links

powershell/internal/eidsca/Test-MtEidscaAF06.md

@@ -5,7 +5,7 @@ You should use Block or Allow as value to allow- or blocklisting of AAGuids.
 #### Test script
 ```
 https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')
-.keyRestrictions.aaGuids -notcontains $null -and ($result.keyRestrictions.enforcementType -eq 'allow' -or $result.keyRestrictions.enforcementType -eq 'block') = 'true'
+.keyRestrictions.aaGuids -notcontains $null -and ($result.keyRestrictions.enforcementType -eq 'allow' -or $result.keyRestrictions.enforcementType -eq 'block') -eq 'true'
 ```
 
 #### Related links

powershell/internal/eidsca/Test-MtEidscaAG01.md

@@ -5,7 +5,7 @@ On September 30th, 2025, the legacy multifactor authentication and self-service
 #### Test script
 ```
 https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy
-.policyMigrationState = 'migrationComplete'
+.policyMigrationState -eq 'migrationComplete'
 ```
 
 #### Related links

powershell/internal/eidsca/Test-MtEidscaAG02.md

@@ -5,7 +5,7 @@ Allows to integrate report of fraud attempt by users to identity protection: Use
 #### Test script
 ```
 https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy
-.reportSuspiciousActivitySettings.state = 'enabled'
+.reportSuspiciousActivitySettings.state -eq 'enabled'
 ```
 
 #### Related links

powershell/internal/eidsca/Test-MtEidscaAG03.md

@@ -5,7 +5,7 @@ Apply this feature to all users.
 #### Test script
 ```
 https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy
-.reportSuspiciousActivitySettings.includeTarget.id = 'all_users'
+.reportSuspiciousActivitySettings.includeTarget.id -eq 'all_users'
 ```
 
 #### Related links

powershell/internal/eidsca/Test-MtEidscaAM01.md

@@ -5,7 +5,7 @@ enabled
 #### Test script
 ```
 https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')
-.state = 'enabled'
+.state -eq 'enabled'
 ```
 
 #### Related links

powershell/internal/eidsca/Test-MtEidscaAM02.md

@@ -5,7 +5,7 @@ true
 #### Test script
 ```
 https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')
-.isSoftwareOathEnabled = 'true'
+.isSoftwareOathEnabled -eq 'true'
 ```
 
 #### Related links

powershell/internal/eidsca/Test-MtEidscaAM03.md

@@ -5,7 +5,7 @@ Defines if number matching is required for MFA notifications.
 #### Test script
 ```
 https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')
-.featureSettings.numberMatchingRequiredState.state = 'enabled'
+.featureSettings.numberMatchingRequiredState.state -eq 'enabled'
 ```
 
 #### Related links

powershell/internal/eidsca/Test-MtEidscaAM04.md

@@ -5,7 +5,7 @@ Object Id or scope of users which will be showing number matching in the Authent
 #### Test script
 ```
 https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')
-.featureSettings.numberMatchingRequiredState.includeTarget.id = 'all_users'
+.featureSettings.numberMatchingRequiredState.includeTarget.id -eq 'all_users'
 ```
 
 #### Related links

powershell/internal/eidsca/Test-MtEidscaAM06.md

@@ -5,7 +5,7 @@ Determines whether the user's Authenticator app will show them the client app th
 #### Test script
 ```
 https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')
-.featureSettings.displayAppInformationRequiredState.state = 'enabled'
+.featureSettings.displayAppInformationRequiredState.state -eq 'enabled'
 ```
 
 #### Related links

powershell/internal/eidsca/Test-MtEidscaAM07.md

@@ -5,7 +5,7 @@ Object Id or scope of users which will be showing app information in the Authent
 #### Test script
 ```
 https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')
-.featureSettings.displayAppInformationRequiredState.includeTarget.id = 'all_users'
+.featureSettings.displayAppInformationRequiredState.includeTarget.id -eq 'all_users'
 ```
 
 #### Related links

powershell/internal/eidsca/Test-MtEidscaAM09.md

@@ -5,7 +5,7 @@ Determines whether the user's Authenticator app will show them the geographic lo
 #### Test script
 ```
 https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')
-.featureSettings.displayLocationInformationRequiredState.state = 'enabled'
+.featureSettings.displayLocationInformationRequiredState.state -eq 'enabled'
 ```
 
 #### Related links

powershell/internal/eidsca/Test-MtEidscaAM10.md

@@ -5,7 +5,7 @@ Object Id or scope of users which will be showing geographic location in the Aut
 #### Test script
 ```
 https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')
-.featureSettings.displayLocationInformationRequiredState.includeTarget.id = 'all_users'
+.featureSettings.displayLocationInformationRequiredState.includeTarget.id -eq 'all_users'
 ```
 
 #### Related links

powershell/internal/eidsca/Test-MtEidscaAP01.md

@@ -5,7 +5,7 @@ Administrators with sensitive roles should use phishing-resistant authentication
 #### Test script
 ```
 https://graph.microsoft.com/beta/policies/authorizationPolicy
-.allowedToUseSSPR = 'false'
+.allowedToUseSSPR -eq 'false'
 ```
 
 #### Related links

powershell/internal/eidsca/Test-MtEidscaAP04.md

@@ -5,7 +5,7 @@ CISA SCuBA 2.18: Only users with the Guest Inviter role SHOULD be able to invite
 #### Test script
 ```
 https://graph.microsoft.com/beta/policies/authorizationPolicy
-.allowInvitesFrom in @('adminsAndGuestInviters','none')
+.allowInvitesFrom -in @('adminsAndGuestInviters','none')
 ```
 
 #### Related links

powershell/internal/eidsca/Test-MtEidscaAP05.md

@@ -5,7 +5,7 @@ Indicates whether users can sign up for email based subscriptions.
 #### Test script
 ```
 https://graph.microsoft.com/beta/policies/authorizationPolicy
-.allowedToSignUpEmailBasedSubscriptions = 'false'
+.allowedToSignUpEmailBasedSubscriptions -eq 'false'
 ```
 
 #### Related links

powershell/internal/eidsca/Test-MtEidscaAP06.md

@@ -5,7 +5,7 @@ Controls whether users can join the tenant by email validation. To join, the use
 #### Test script
 ```
 https://graph.microsoft.com/beta/policies/authorizationPolicy
-.allowEmailVerifiedUsersToJoinOrganization = 'false'
+.allowEmailVerifiedUsersToJoinOrganization -eq 'false'
 ```
 
 #### Related links

powershell/internal/eidsca/Test-MtEidscaAP07.md

@@ -5,7 +5,7 @@ CISA SCuBA 2.18: Guest users SHOULD have limited access to Azure AD directory ob
 #### Test script
 ```
 https://graph.microsoft.com/beta/policies/authorizationPolicy
-.guestUserRoleId = '2af84b1e-32c8-42b7-82bc-daa82404023b'
+.guestUserRoleId -eq '2af84b1e-32c8-42b7-82bc-daa82404023b'
 ```
 
 #### Related links

powershell/internal/eidsca/Test-MtEidscaAP08.md

@@ -5,7 +5,7 @@ Microsoft recommends to allow to user consent for apps from verified publisher f
 #### Test script
 ```
 https://graph.microsoft.com/beta/policies/authorizationPolicy
-.permissionGrantPolicyIdsAssignedToDefaultUserRole | Sort-Object -Descending | select-object -first 1 = 'ManagePermissionGrantsForSelf.microsoft-user-default-low'
+.permissionGrantPolicyIdsAssignedToDefaultUserRole | Sort-Object -Descending | select-object -first 1 -eq 'ManagePermissionGrantsForSelf.microsoft-user-default-low'
 ```
 
 #### Related links

powershell/internal/eidsca/Test-MtEidscaAP09.md

@@ -5,7 +5,7 @@ Indicates whether user consent for risky apps is allowed. For example, consent r
 #### Test script
 ```
 https://graph.microsoft.com/beta/policies/authorizationPolicy
-.allowUserConsentForRiskyApps = 'false'
+.allowUserConsentForRiskyApps -eq 'false'
 ```
 
 #### Related links

powershell/internal/eidsca/Test-MtEidscaAP10.md

@@ -5,7 +5,7 @@ CISA SCuBA 2.6: Only Administrators SHALL Be Allowed To Register Third-Party App
 #### Test script
 ```
 https://graph.microsoft.com/beta/policies/authorizationPolicy
-.defaultUserRolePermissions.allowedToCreateApps = 'false'
+.defaultUserRolePermissions.allowedToCreateApps -eq 'false'
 ```
 
 #### Related links

powershell/internal/eidsca/Test-MtEidscaAP14.md

@@ -5,7 +5,7 @@ Restrict this default permissions for members have huge impact on collaboration
 #### Test script
 ```
 https://graph.microsoft.com/beta/policies/authorizationPolicy
-.defaultUserRolePermissions.allowedToReadOtherUsers = 'true'
+.defaultUserRolePermissions.allowedToReadOtherUsers -eq 'true'
 ```
 
 #### Related links

powershell/internal/eidsca/Test-MtEidscaAS04.md

@@ -5,7 +5,7 @@ Avoid to use SMS as primary sign in factor (instead of a password) and consider
 #### Test script
 ```
 https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Sms')
-.includeTargets.isUsableForSignIn = 'false'
+.includeTargets.isUsableForSignIn -eq 'false'
 ```
 
 #### Related links

powershell/internal/eidsca/Test-MtEidscaAT01.md

@@ -5,7 +5,7 @@ Use Temporary Access Pass for secure onboarding users (initial password replacem
 #### Test script
 ```
 https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('TemporaryAccessPass')
-.state = 'enabled'
+.state -eq 'enabled'
 ```
 
 #### Related links

powershell/internal/eidsca/Test-MtEidscaAT02.md

@@ -5,7 +5,7 @@ Avoid to allow reusable passes and restrict usage to one-time use (if applicable
 #### Test script
 ```
 https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('TemporaryAccessPass')
-.isUsableOnce = 'true'
+.isUsableOnce -eq 'true'
 ```
 
 #### Related links

powershell/internal/eidsca/Test-MtEidscaAV01.md

@@ -5,7 +5,7 @@ Choose authentication methods with number matching (Authenticator)
 #### Test script
 ```
 https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Voice')
-.state = 'disabled'
+.state -eq 'disabled'
 ```
 
 #### Related links

powershell/internal/eidsca/Test-MtEidscaCP01.md

@@ -5,7 +5,7 @@ CISA SCuBA 2.7: Non-Admin Users SHALL Be Prevented From Providing Consent To Thi
 #### Test script
 ```
 https://graph.microsoft.com/beta/settings
-.values | where-object name -eq 'EnableGroupSpecificConsent' | select-object -expand value = 'False'
+.values | where-object name -eq 'EnableGroupSpecificConsent' | select-object -expand value -eq 'False'
 ```
 
 #### Related links

powershell/internal/eidsca/Test-MtEidscaCP03.md

@@ -5,7 +5,7 @@ Defines whether user consent will be blocked when a risky request is detected
 #### Test script
 ```
 https://graph.microsoft.com/beta/settings
-.values | where-object name -eq 'BlockUserConsentForRiskyApps' | select-object -expand value = 'true'
+.values | where-object name -eq 'BlockUserConsentForRiskyApps' | select-object -expand value -eq 'true'
 ```
 
 #### Related links

powershell/internal/eidsca/Test-MtEidscaCP04.md

@@ -5,7 +5,7 @@ CISA SCuBA 2.7: Non-Admin Users SHALL Be Prevented From Providing Consent To Thi
 #### Test script
 ```
 https://graph.microsoft.com/beta/settings
-.values | where-object name -eq 'EnableAdminConsentRequests' | select-object -expand value = 'true'
+.values | where-object name -eq 'EnableAdminConsentRequests' | select-object -expand value -eq 'true'
 ```
 
 #### Related links

powershell/internal/eidsca/Test-MtEidscaCR01.md

@@ -5,7 +5,7 @@ Defines if admin consent request feature is enabled or disabled
 #### Test script
 ```
 https://graph.microsoft.com/beta/policies/adminConsentRequestPolicy
-.isEnabled = 'true'
+.isEnabled -eq 'true'
 ```
 
 #### Related links

powershell/internal/eidsca/Test-MtEidscaCR02.md

@@ -5,7 +5,7 @@ Specifies whether reviewers will receive notifications
 #### Test script
 ```
 https://graph.microsoft.com/beta/policies/adminConsentRequestPolicy
-.notifyReviewers = 'true'
+.notifyReviewers -eq 'true'
 ```
 
 #### Related links

powershell/internal/eidsca/Test-MtEidscaCR03.md

@@ -5,7 +5,7 @@ Specifies whether reviewers will receive reminder emails
 #### Test script
 ```
 https://graph.microsoft.com/beta/policies/adminConsentRequestPolicy
-.remindersEnabled = 'true'
+.remindersEnabled -eq 'true'
 ```
 
 #### Related links

powershell/internal/eidsca/Test-MtEidscaCR04.md

@@ -5,7 +5,7 @@ Specifies the duration the request is active before it automatically expires if
 #### Test script
 ```
 https://graph.microsoft.com/beta/policies/adminConsentRequestPolicy
-.requestDurationInDays = '30'
+.requestDurationInDays -le '30'
 ```
 
 #### Related links