fix(MS.AAD.6.1): password expiration must be configured for all domains

[jed-exotic]

addresses #594

This may be an opinionated change, and I am happy to discuss.

To comply with MS.AAD.6.1, all verified domains should be evaluated for this configuration value.

If configuring the primary domain is sufficient for compliance (i.e. the configured value for non-primary domains becomes irrelevant), then the isDefault attribute should be used to filter the results down to a single domain.

This PR is with the following requirement in mind:

ALL verified managed domains shall be configured to not require password expiry.

[weyCC81]

In my opinion, it's a good practice to check all domains, as the 'primary domain' does not always technically appear as 'isDefault.'

[merill]

Added comment #594 (comment)

[merill]

Holding PR to update test to align with suggestion from @soulemike (see link above).

I agree more details here would be good. Likely returning each domain in a table with the configuration and pass state, similar to other tests. Something like the below. With the test result validating all verified managed and federated domains are valid.

Domain (Default)	Verified	Type	Validation
contoso.com (✔️)	Verified	Managed	✅ Pass
sub.contoso.com ()	Verified	Managed	❌ Fail
contoso.onmicrosoft.com ()	Verified	Managed	✅ Pass
oldbrand.com ()	Verified	Federated	🗄️ Skipped
google.com ()	Unverified	Managed	🗄️ Skipped

Reviewing the CISA REGO it looks like they do something similar and measure the aggregate, so just looks like something I missed when wiring this up. https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/Rego/AADConfig.rego#L681

@weyCC81 let us know if you would like to pick this up, if not I can take a stab. Thanks!

[soulemike]

Updated PR to include details. Realized I missed a skip condition. Adding it quick.

[merill]

LGTM