Merge branch 'main' into pr/518

README.md

@@ -107,8 +107,8 @@ jobs:
     - name: Run Maester action
       uses: maester365/maester@main
       with:
-        client-id: ${{ secrets.AZURE_CLIENT_ID }}
-        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+        client_id: ${{ secrets.AZURE_CLIENT_ID }}
+        tenant_id: ${{ secrets.AZURE_TENANT_ID }}
         include_public_tests: true # Optional
         pester_verbosity: None # Optional - 'None', 'Normal', 'Detailed', 'Diagnostic'
 

action.yml

@@ -27,11 +27,11 @@ inputs:
     required: false
     default: "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
   include_tags:
-    description: "A list of tags to include in the test run. Please separate multiple tags with a comma."
+    description: "A list of tags to include in the test run. Please separate multiple tags with a comma (without space)."
     required: false
     default: ""
   exclude_tags:
-    description: "A list of tags to exclude from the test run. Please separate multiple tags with a comma."
+    description: "A list of tags to exclude from the test run. Please separate multiple tags with a comma (without space)."
     required: false
     default: ""
   pester_verbosity:
@@ -48,6 +48,16 @@ inputs:
     description: "Define whether the results are uploaded as Artifacts."
     required: false
     default: true
+  install_prerelease:
+    type: boolean
+    description: "Installs the preview version, allowing access to new cmdlets."
+    required: false
+    default: false
+  disable_telemetry:
+    type: boolean
+    description: "If set, telemetry information will not be logged."
+    required: false
+    default: false
 
 runs:
   using: "composite"
@@ -87,7 +97,11 @@ runs:
           Connect-MgGraph -AccessToken $accessToken -NoWelcome
 
           # Install Maester
-          Install-Module Maester -Force
+          if ( [string]::IsNullOrWhiteSpace( '${{ inputs.install_prerelease}}' ) -eq $true ){
+            Install-Module Maester -AllowPrerelease -Force
+          } else {
+            Install-Module Maester -Force
+          }
 
           # Configure test results
           $PesterConfiguration = New-PesterConfiguration
@@ -130,6 +144,11 @@ runs:
               }
           }
 
+          # Check if disable telemetry is provided
+          if ( [string]::IsNullOrWhiteSpace( '${{ inputs.disable_telemetry}}' ) -eq $true ) {
+            $MaesterParameters.Add( 'DisableTelemetry', $true )
+          }
+
           # Run Maester tests
           $results = Invoke-Maester @MaesterParameters
 

build/eidsca/Update-EidscaTests.ps1

@@ -46,7 +46,7 @@ function GetVersion($graphUri) {
 
 function GetRecommendedValue($RecommendedValue) {
     if($RecommendedValue -notlike "@('*,*')") {
-        $compareOperators = @(">=",">","<")
+        $compareOperators = @(">=","<=",">","<")
         foreach ($compareOperator in $compareOperators) {
             if ($RecommendedValue.StartsWith($compareOperator)) {
                 $RecommendedValue = $RecommendedValue.Replace($compareOperator, "")
@@ -62,6 +62,10 @@ function GetRecommendedValueMarkdown($RecommendedValueMarkdown) {
     if($RecommendedValueMarkdown -like "@('*,*')") {
         $RecommendedValueMarkdown = $RecommendedValueMarkdown -replace "@\(", "" -replace "\)", ""
         return "$RecommendedValueMarkdown"
+    } elseif ($RecommendedValueMarkdown.StartsWith(">") -or $RecommendedValueMarkdown.StartsWith("<")) {
+        $RecommendedValueText = (GetCompareOperator($RecommendedValueMarkdown)).Text
+        $RecommendedValueMarkdown = "$RecommendedValueText $RecommendedValue"
+        return "$RecommendedValueMarkdown"
     } else {
         return "'$RecommendedValueMarkdown'"
     }
@@ -82,6 +86,13 @@ function GetCompareOperator($RecommendedValue) {
             powershell = 'ge'
             text       = 'is greater than or equal to'
         }
+    } elseif ($RecommendedValue.StartsWith("<=")) {
+        $compareOperator = [PSCustomObject]@{
+            name       = '<='
+            pester     = 'BeLessOrEqual'
+            powershell = 'le'
+            text       = 'is less than or equal to'
+        }
     } elseif ($RecommendedValue.StartsWith(">")) {
         $compareOperator = [PSCustomObject]@{
             name       = '>'
@@ -430,7 +441,7 @@ Describe "%ControlName%" -Tag "EIDSCA", "Security", "All", "%CheckId%" {
     It "%CheckId%: %ControlName% - %DisplayName%. See https://maester.dev/docs/tests/%DocName%"%TestCases% {
         <#
             Check if "https://graph.microsoft.com/%ApiVersion%/%RelativeUri%"
-            .%CurrentValue% %CompareOperator% %RecommendedValue%
+            .%CurrentValue% -%PwshCompareOperator% %RecommendedValue%
         #>
         Test-MtEidscaControl -CheckId %CheckShortId% | Should -%ShouldOperator% %RecommendedValue%
     }

powershell/Maester.psd1

@@ -94,8 +94,8 @@ FunctionsToExport = 'Add-MtTestResultDetail', 'Clear-MtGraphCache', 'Connect-Mae
                'Test-MtCaExclusionForDirectorySyncAccount',
                'Test-MtCaLicenseUtilization', 'Test-MtCaMfaForAdmin',
                'Test-MtCaMfaForAdminManagement', 'Test-MtCaMfaForAllUsers',
-               'Test-MtCaGroupsRestricted',
-               'Test-MtCaGap',
+               "Test-MtCaGroupsRestricted",
+               "Test-MtCaGap", "Test-MtCaReferencedGroupsExist",
                'Test-MtCaMfaForGuest', 'Test-MtCaMfaForRiskySignIn',
                'Test-MtCaRequirePasswordChangeForHighUserRisk',
                'Test-MtCaSecureSecurityInfoRegistration', 'Test-MtCisaDiagnosticSettings',

powershell/internal/ConvertTo-MtMaesterResults.ps1

@@ -103,7 +103,7 @@ function ConvertTo-MtMaesterResult {
         $mtTestInfo = [PSCustomObject]@{
             Name            = $name
             HelpUrl         = $helpUrl
-            Tag             = $test.Block.Tag
+            Tag             = ($test.Block.Tag + $test.Tag | Select-Object -Unique)
             Result          = $test.Result
             ScriptBlock     = $test.ScriptBlock.ToString()
             ScriptBlockFile = $test.ScriptBlock.File

powershell/internal/Get-MtSkippedReason.ps1

@@ -21,6 +21,7 @@ function Get-MtSkippedReason {
         "NotLicensedEntraWorkloadID" { "This test is for tenants that are licensed for Entra Workload ID. See [Entra Workload ID licensing](https://learn.microsoft.com/entra/workload-id/workload-identities-faqs)"; break}
         "NotLicensedExoDlp" { "This test is for tenants that are licensed for Exchange Online DLP. See [Microsoft Purview Data Loss Prevention: Data Loss Prevention (DLP) for Exchange Online, SharePoint Online, and OneDrive for Business](https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#which-licenses-provide-the-rights-for-a-user-to-benefit-from-the-service-7)"; break}
         "NotLicensedMdo" { "This test is for tenants that are licensed for Defender for Office 365 Plan 2. See [Microsoft Defender for Office 365 service description](https://learn.microsoft.com/en-us/office365/servicedescriptions/office-365-advanced-threat-protection-service-description)"; break}
+        "NotLicensedMdoP1" { "This test is for tenants that are licensed for Defender for Office 365 Plan 1. See [Microsoft Defender for Office 365 service description](https://learn.microsoft.com/en-us/office365/servicedescriptions/office-365-advanced-threat-protection-service-description)"; break}
         "AdvAudit" { "This test is for tenants that are licensed for Advanced Audit. See [Learn about auditing solutions in Microsoft Purview](https://learn.microsoft.com/en-us/purview/audit-solutions-overview#licensing-requirements)"; break}
         "LicensedEntraIDPremium" { "This test is for tenants that are not licensed for any Entra ID Premium license. See [Entra ID licensing](https://learn.microsoft.com/entra/fundamentals/licensing)"; break}
         "NotSupported" { "This test relies on capabilities not currently available (e.g., cmdlets that are not available on all platforms, Resolve-DnsName)"; break}

powershell/internal/Write-Telemetry.ps1

@@ -0,0 +1,36 @@
+function Write-Telemetry {
+    [CmdletBinding()]
+    param (
+        [Parameter(Mandatory = $true)]
+        [ValidateSet("InvokeMaester")]
+        [string]
+        $EventName
+    )
+    Write-Verbose "Sending telemetry event: $EventName"
+
+    $tenantId = Get-MgContext | Select-Object -ExpandProperty TenantId
+    if (-not $tenantId) {
+        $tenantId = "unknown"
+    }
+    # Define the JSON data
+    $jsonData = @{
+        api_key = "phc_VxA235FsdurMGycf9DHjlUeZeIhLuC7r11Ptum0WjRK"
+        distinct_id = $tenantId
+        event = $EventName
+    }
+
+    # Convert the data to JSON format
+    $jsonBody = $jsonData | ConvertTo-Json
+
+    # Define the URL
+    $url = "https://us.i.posthog.com/capture/"
+
+    # Send the POST request
+    try {
+        Invoke-RestMethod -Uri $url -Method Post -ContentType "application/json" -Body $jsonBody | Out-Null
+    }
+    catch {
+        Write-Verbose $_
+    }
+
+}

powershell/internal/eidsca/@template.md

@@ -5,7 +5,7 @@
 #### Test script
 ```
 https://graph.microsoft.com/%ApiVersion%/%RelativeUri%
-.%CurrentValue% %CompareOperator% %RecommendedValue%
+.%CurrentValue% -%PwshCompareOperator% %RecommendedValue%
 ```
 
 #### Related links

powershell/internal/eidsca/Test-MtEidscaAF01.md

@@ -5,7 +5,7 @@ enabled
 #### Test script
 ```
 https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')
-.state = 'enabled'
+.state -eq 'enabled'
 ```
 
 #### Related links

powershell/internal/eidsca/Test-MtEidscaAF02.md

@@ -5,7 +5,7 @@ Allows users to register a FIDO key through the MySecurityInfo portal, even if e
 #### Test script
 ```
 https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')
-.isSelfServiceRegistrationAllowed = 'true'
+.isSelfServiceRegistrationAllowed -eq 'true'
 ```
 
 #### Related links

powershell/internal/eidsca/Test-MtEidscaAF03.md

@@ -5,7 +5,7 @@ Requires the FIDO security key metadata to be published and verified with the FI
 #### Test script
 ```
 https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')
-.isAttestationEnforced = 'true'
+.isAttestationEnforced -eq 'true'
 ```
 
 #### Related links

powershell/internal/eidsca/Test-MtEidscaAF04.md

@@ -5,7 +5,7 @@ Restrict usage of FIDO2 from unauthorized vendors or platforms
 #### Test script
 ```
 https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')
-.keyRestrictions.isEnforced = 'true'
+.keyRestrictions.isEnforced -eq 'true'
 ```
 
 #### Related links

powershell/internal/eidsca/Test-MtEidscaAF05.md

@@ -5,7 +5,7 @@ You can work with your Security key provider to determine the AAGuids of their d
 #### Test script
 ```
 https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')
-.keyRestrictions.aaGuids -notcontains $null = 'true'
+.keyRestrictions.aaGuids -notcontains $null -eq 'true'
 ```
 
 #### Related links

powershell/internal/eidsca/Test-MtEidscaAF06.md

@@ -5,7 +5,7 @@ You should use Block or Allow as value to allow- or blocklisting of AAGuids.
 #### Test script
 ```
 https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')
-.keyRestrictions.aaGuids -notcontains $null -and ($result.keyRestrictions.enforcementType -eq 'allow' -or $result.keyRestrictions.enforcementType -eq 'block') = 'true'
+.keyRestrictions.aaGuids -notcontains $null -and ($result.keyRestrictions.enforcementType -eq 'allow' -or $result.keyRestrictions.enforcementType -eq 'block') -eq 'true'
 ```
 
 #### Related links

powershell/internal/eidsca/Test-MtEidscaAG01.md

@@ -5,7 +5,7 @@ On September 30th, 2025, the legacy multifactor authentication and self-service
 #### Test script
 ```
 https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy
-.policyMigrationState = 'migrationComplete'
+.policyMigrationState -eq 'migrationComplete'
 ```
 
 #### Related links

powershell/internal/eidsca/Test-MtEidscaAG02.md

@@ -5,7 +5,7 @@ Allows to integrate report of fraud attempt by users to identity protection: Use
 #### Test script
 ```
 https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy
-.reportSuspiciousActivitySettings.state = 'enabled'
+.reportSuspiciousActivitySettings.state -eq 'enabled'
 ```
 
 #### Related links

powershell/internal/eidsca/Test-MtEidscaAG03.md

@@ -5,7 +5,7 @@ Apply this feature to all users.
 #### Test script
 ```
 https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy
-.reportSuspiciousActivitySettings.includeTarget.id = 'all_users'
+.reportSuspiciousActivitySettings.includeTarget.id -eq 'all_users'
 ```
 
 #### Related links

powershell/internal/eidsca/Test-MtEidscaAM01.md

@@ -5,7 +5,7 @@ enabled
 #### Test script
 ```
 https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')
-.state = 'enabled'
+.state -eq 'enabled'
 ```
 
 #### Related links

powershell/internal/eidsca/Test-MtEidscaAM02.md

@@ -5,7 +5,7 @@ true
 #### Test script
 ```
 https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')
-.isSoftwareOathEnabled = 'true'
+.isSoftwareOathEnabled -eq 'true'
 ```
 
 #### Related links

powershell/internal/eidsca/Test-MtEidscaAM03.md

@@ -5,7 +5,7 @@ Defines if number matching is required for MFA notifications.
 #### Test script
 ```
 https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')
-.featureSettings.numberMatchingRequiredState.state = 'enabled'
+.featureSettings.numberMatchingRequiredState.state -eq 'enabled'
 ```
 
 #### Related links

powershell/internal/eidsca/Test-MtEidscaAM04.md

@@ -5,7 +5,7 @@ Object Id or scope of users which will be showing number matching in the Authent
 #### Test script
 ```
 https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')
-.featureSettings.numberMatchingRequiredState.includeTarget.id = 'all_users'
+.featureSettings.numberMatchingRequiredState.includeTarget.id -eq 'all_users'
 ```
 
 #### Related links

powershell/internal/eidsca/Test-MtEidscaAM06.md

@@ -5,7 +5,7 @@ Determines whether the user's Authenticator app will show them the client app th
 #### Test script
 ```
 https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')
-.featureSettings.displayAppInformationRequiredState.state = 'enabled'
+.featureSettings.displayAppInformationRequiredState.state -eq 'enabled'
 ```
 
 #### Related links

powershell/internal/eidsca/Test-MtEidscaAM07.md

@@ -5,7 +5,7 @@ Object Id or scope of users which will be showing app information in the Authent
 #### Test script
 ```
 https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')
-.featureSettings.displayAppInformationRequiredState.includeTarget.id = 'all_users'
+.featureSettings.displayAppInformationRequiredState.includeTarget.id -eq 'all_users'
 ```
 
 #### Related links

powershell/internal/eidsca/Test-MtEidscaAM09.md

@@ -5,7 +5,7 @@ Determines whether the user's Authenticator app will show them the geographic lo
 #### Test script
 ```
 https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')
-.featureSettings.displayLocationInformationRequiredState.state = 'enabled'
+.featureSettings.displayLocationInformationRequiredState.state -eq 'enabled'
 ```
 
 #### Related links

powershell/internal/eidsca/Test-MtEidscaAM10.md

@@ -5,7 +5,7 @@ Object Id or scope of users which will be showing geographic location in the Aut
 #### Test script
 ```
 https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')
-.featureSettings.displayLocationInformationRequiredState.includeTarget.id = 'all_users'
+.featureSettings.displayLocationInformationRequiredState.includeTarget.id -eq 'all_users'
 ```
 
 #### Related links

powershell/internal/eidsca/Test-MtEidscaAP01.md

@@ -5,7 +5,7 @@ Administrators with sensitive roles should use phishing-resistant authentication
 #### Test script
 ```
 https://graph.microsoft.com/beta/policies/authorizationPolicy
-.allowedToUseSSPR = 'false'
+.allowedToUseSSPR -eq 'false'
 ```
 
 #### Related links

powershell/internal/eidsca/Test-MtEidscaAP04.md

@@ -5,7 +5,7 @@ CISA SCuBA 2.18: Only users with the Guest Inviter role SHOULD be able to invite
 #### Test script
 ```
 https://graph.microsoft.com/beta/policies/authorizationPolicy
-.allowInvitesFrom in @('adminsAndGuestInviters','none')
+.allowInvitesFrom -in @('adminsAndGuestInviters','none')
 ```
 
 #### Related links

powershell/internal/eidsca/Test-MtEidscaAP05.md

@@ -5,7 +5,7 @@ Indicates whether users can sign up for email based subscriptions.
 #### Test script
 ```
 https://graph.microsoft.com/beta/policies/authorizationPolicy
-.allowedToSignUpEmailBasedSubscriptions = 'false'
+.allowedToSignUpEmailBasedSubscriptions -eq 'false'
 ```
 
 #### Related links

powershell/internal/eidsca/Test-MtEidscaAP06.md

@@ -5,7 +5,7 @@ Controls whether users can join the tenant by email validation. To join, the use
 #### Test script
 ```
 https://graph.microsoft.com/beta/policies/authorizationPolicy
-.allowEmailVerifiedUsersToJoinOrganization = 'false'
+.allowEmailVerifiedUsersToJoinOrganization -eq 'false'
 ```
 
 #### Related links

powershell/internal/eidsca/Test-MtEidscaAP07.md

@@ -5,7 +5,7 @@ CISA SCuBA 2.18: Guest users SHOULD have limited access to Azure AD directory ob
 #### Test script
 ```
 https://graph.microsoft.com/beta/policies/authorizationPolicy
-.guestUserRoleId = '2af84b1e-32c8-42b7-82bc-daa82404023b'
+.guestUserRoleId -eq '2af84b1e-32c8-42b7-82bc-daa82404023b'
 ```
 
 #### Related links

powershell/internal/eidsca/Test-MtEidscaAP08.md

@@ -5,7 +5,7 @@ Microsoft recommends to allow to user consent for apps from verified publisher f
 #### Test script
 ```
 https://graph.microsoft.com/beta/policies/authorizationPolicy
-.permissionGrantPolicyIdsAssignedToDefaultUserRole | Sort-Object -Descending | select-object -first 1 = 'ManagePermissionGrantsForSelf.microsoft-user-default-low'
+.permissionGrantPolicyIdsAssignedToDefaultUserRole | Sort-Object -Descending | select-object -first 1 -eq 'ManagePermissionGrantsForSelf.microsoft-user-default-low'
 ```
 
 #### Related links