Merge pull request #414 from Snozzberries/cisaEntraSkips

Updated CISA Entra tests to use skippedBecause, added tag for minimum…
maester365 · Aug 13, 2024 · 46d9121 · 46d9121
2 parents 9a53255 + bf41a6b
commit 46d9121
Show file tree

Hide file tree

Showing 58 changed files with 403 additions and 143 deletions.
diff --git a/powershell/public/cisa/entra/Test-MtCisaAppAdminConsent.ps1 b/powershell/public/cisa/entra/Test-MtCisaAppAdminConsent.ps1
@@ -18,6 +18,11 @@ function Test-MtCisaAppAdminConsent {
     [OutputType([bool])]
     param()
 
+    if(!(Test-MtConnection Graph)){
+        Add-MtTestResultDetail -SkippedBecause NotConnectedGraph
+        return $null
+    }
+
     $result = Invoke-MtGraphRequest -RelativeUri "policies/adminConsentRequestPolicy" -ApiVersion v1.0
 
     $reviewers = $result | Where-Object {`

diff --git a/powershell/public/cisa/entra/Test-MtCisaAppGroupOwnerConsent.ps1 b/powershell/public/cisa/entra/Test-MtCisaAppGroupOwnerConsent.ps1
@@ -18,6 +18,11 @@ function Test-MtCisaAppGroupOwnerConsent {
     [OutputType([bool])]
     param()
 
+    if(!(Test-MtConnection Graph)){
+        Add-MtTestResultDetail -SkippedBecause NotConnectedGraph
+        return $null
+    }
+
     #May need update to https://learn.microsoft.com/en-us/graph/api/resources/teamsappsettings?view=graph-rest-1.0
     $result = Invoke-MtGraphRequest -RelativeUri "settings" -ApiVersion beta
 

diff --git a/powershell/public/cisa/entra/Test-MtCisaAppRegistration.ps1 b/powershell/public/cisa/entra/Test-MtCisaAppRegistration.ps1
@@ -18,6 +18,11 @@ function Test-MtCisaAppRegistration {
     [OutputType([bool])]
     param()
 
+    if(!(Test-MtConnection Graph)){
+        Add-MtTestResultDetail -SkippedBecause NotConnectedGraph
+        return $null
+    }
+
     $result = Invoke-MtGraphRequest -RelativeUri "policies/authorizationPolicy" -ApiVersion v1.0
 
     $testResult = $result.defaultUserRolePermissions.allowedToCreateApps -eq $false

diff --git a/powershell/public/cisa/entra/Test-MtCisaAppUserConsent.ps1 b/powershell/public/cisa/entra/Test-MtCisaAppUserConsent.ps1
@@ -18,6 +18,11 @@ function Test-MtCisaAppUserConsent {
     [OutputType([bool])]
     param()
 
+    if(!(Test-MtConnection Graph)){
+        Add-MtTestResultDetail -SkippedBecause NotConnectedGraph
+        return $null
+    }
+
     $result = Invoke-MtGraphRequest -RelativeUri "policies/authorizationPolicy" -ApiVersion v1.0
 
     $permissions = $result.defaultUserRolePermissions.permissionGrantPoliciesAssigned | Where-Object {`

diff --git a/powershell/public/cisa/entra/Test-MtCisaAssignmentNotification.ps1 b/powershell/public/cisa/entra/Test-MtCisaAssignmentNotification.ps1
@@ -18,10 +18,16 @@ function Test-MtCisaAssignmentNotification {
     [OutputType([bool])]
     param()
 
+    if(!(Test-MtConnection Graph)){
+        Add-MtTestResultDetail -SkippedBecause NotConnectedGraph
+        return $null
+    }
+
     $EntraIDPlan = Get-MtLicenseInformation -Product EntraID
     $pim = $EntraIDPlan -eq "P2" -or $EntraIDPlan -eq "Governance"
     if(-not $pim){
-        return $false
+        Add-MtTestResultDetail -SkippedBecause NotLicensedEntraIDP2
+        return $null
     }
 
     $roles = Get-MtRole -CisaHighlyPrivilegedRoles

diff --git a/powershell/public/cisa/entra/Test-MtCisaAuthenticatorContext.ps1 b/powershell/public/cisa/entra/Test-MtCisaAuthenticatorContext.ps1
@@ -23,6 +23,12 @@ function Test-MtCisaAuthenticatorContext {
         return $null
     }
 
+    $EntraIDPlan = Get-MtLicenseInformation -Product EntraID
+    if($EntraIDPlan -eq "Free"){
+        Add-MtTestResultDetail -SkippedBecause NotLicensedEntraIDP1
+        return $null
+    }
+
     $isMethodsMigrationComplete = Test-MtCisaMethodsMigration
 
     $result = Get-MtAuthenticationMethodPolicyConfig

diff --git a/powershell/public/cisa/entra/Test-MtCisaBlockHighRiskSignIn.ps1 b/powershell/public/cisa/entra/Test-MtCisaBlockHighRiskSignIn.ps1
@@ -18,6 +18,17 @@ function Test-MtCisaBlockHighRiskSignIn {
     [OutputType([bool])]
     param()
 
+    if(!(Test-MtConnection Graph)){
+        Add-MtTestResultDetail -SkippedBecause NotConnectedGraph
+        return $null
+    }
+
+    $EntraIDPlan = Get-MtLicenseInformation -Product EntraID
+    if($EntraIDPlan -ne "P2"){
+        Add-MtTestResultDetail -SkippedBecause NotLicensedEntraIDP2
+        return $null
+    }
+
     $result = Get-MtConditionalAccessPolicy
 
     $blockPolicies = $result | Where-Object {`

diff --git a/powershell/public/cisa/entra/Test-MtCisaBlockHighRiskUser.ps1 b/powershell/public/cisa/entra/Test-MtCisaBlockHighRiskUser.ps1
@@ -18,6 +18,17 @@ function Test-MtCisaBlockHighRiskUser {
     [OutputType([bool])]
     param()
 
+    if(!(Test-MtConnection Graph)){
+        Add-MtTestResultDetail -SkippedBecause NotConnectedGraph
+        return $null
+    }
+
+    $EntraIDPlan = Get-MtLicenseInformation -Product EntraID
+    if($EntraIDPlan -ne "P2"){
+        Add-MtTestResultDetail -SkippedBecause NotLicensedEntraIDP2
+        return $null
+    }
+
     $result = Get-MtConditionalAccessPolicy
 
     $blockPolicies = $result | Where-Object {`

diff --git a/powershell/public/cisa/entra/Test-MtCisaBlockLegacyAuth.ps1 b/powershell/public/cisa/entra/Test-MtCisaBlockLegacyAuth.ps1
@@ -18,6 +18,17 @@ function Test-MtCisaBlockLegacyAuth {
     [OutputType([bool])]
     param()
 
+    if(!(Test-MtConnection Graph)){
+        Add-MtTestResultDetail -SkippedBecause NotConnectedGraph
+        return $null
+    }
+
+    $EntraIDPlan = Get-MtLicenseInformation -Product EntraID
+    if($EntraIDPlan -eq "Free"){
+        Add-MtTestResultDetail -SkippedBecause NotLicensedEntraIDP1
+        return $null
+    }
+
     $result = Get-MtConditionalAccessPolicy
 
     $blockPolicies = $result | Where-Object {`

diff --git a/powershell/public/cisa/entra/Test-MtCisaCloudGlobalAdmin.ps1 b/powershell/public/cisa/entra/Test-MtCisaCloudGlobalAdmin.ps1
@@ -18,6 +18,18 @@ function Test-MtCisaCloudGlobalAdmin {
     [OutputType([bool])]
     param()
 
+    if(!(Test-MtConnection Graph)){
+        Add-MtTestResultDetail -SkippedBecause NotConnectedGraph
+        return $null
+    }
+
+    $scopes = (Get-MgContext).Scopes
+    $permissionMissing = "RoleEligibilitySchedule.ReadWrite.Directory" -notin $scopes
+    if($permissionMissing){
+        Add-MtTestResultDetail -SkippedBecause Custom -SkippedCustomReason "Missing Scope RoleEligibilitySchedule.ReadWrite.Directory"
+        return $null
+    }
+
     $role = Get-MtRole | Where-Object {`
         $_.id -eq "62e90394-69f5-4237-9190-012177145e10" } # Global Administrator
 

diff --git a/powershell/public/cisa/entra/Test-MtCisaCrossTenantInboundDefault.ps1 b/powershell/public/cisa/entra/Test-MtCisaCrossTenantInboundDefault.ps1
@@ -18,6 +18,11 @@ function Test-MtCisaCrossTenantInboundDefault {
     [OutputType([bool])]
     param()
 
+    if(!(Test-MtConnection Graph)){
+        Add-MtTestResultDetail -SkippedBecause NotConnectedGraph
+        return $null
+    }
+
     $policy = Invoke-MtGraphRequest -RelativeUri "policies/crossTenantAccessPolicy/default"
 
     $testResult = ($policy | Where-Object {`

diff --git a/powershell/public/cisa/entra/Test-MtCisaDiagnosticSettings.ps1 b/powershell/public/cisa/entra/Test-MtCisaDiagnosticSettings.ps1
@@ -24,6 +24,12 @@ function Test-MtCisaDiagnosticSettings {
         return $null
     }
 
+    $EntraIDPlan = Get-MtLicenseInformation -Product EntraID
+    if($EntraIDPlan -eq "Free"){
+        Add-MtTestResultDetail -SkippedBecause NotLicensedEntraIDP1
+        return $null
+    }
+
     $cisaLogs = @(
         "AuditLogs",
         "SignInLogs",

diff --git a/powershell/public/cisa/entra/Test-MtCisaGlobalAdminCount.ps1 b/powershell/public/cisa/entra/Test-MtCisaGlobalAdminCount.ps1
@@ -18,6 +18,18 @@ function Test-MtCisaGlobalAdminCount {
     [OutputType([bool])]
     param()
 
+    if(!(Test-MtConnection Graph)){
+        Add-MtTestResultDetail -SkippedBecause NotConnectedGraph
+        return $null
+    }
+
+    $scopes = (Get-MgContext).Scopes
+    $permissionMissing = "RoleEligibilitySchedule.ReadWrite.Directory" -notin $scopes
+    if($permissionMissing){
+        Add-MtTestResultDetail -SkippedBecause Custom -SkippedCustomReason "Missing Scope RoleEligibilitySchedule.ReadWrite.Directory"
+        return $null
+    }
+
     $role = Get-MtRole | Where-Object {`
         $_.id -eq "62e90394-69f5-4237-9190-012177145e10" } # Global Administrator
 

diff --git a/powershell/public/cisa/entra/Test-MtCisaGlobalAdminRatio.ps1 b/powershell/public/cisa/entra/Test-MtCisaGlobalAdminRatio.ps1
@@ -18,6 +18,18 @@ function Test-MtCisaGlobalAdminRatio {
     [OutputType([bool])]
     param()
 
+    if(!(Test-MtConnection Graph)){
+        Add-MtTestResultDetail -SkippedBecause NotConnectedGraph
+        return $null
+    }
+
+    $scopes = (Get-MgContext).Scopes
+    $permissionMissing = "RoleEligibilitySchedule.ReadWrite.Directory" -notin $scopes
+    if($permissionMissing){
+        Add-MtTestResultDetail -SkippedBecause Custom -SkippedCustomReason "Missing Scope RoleEligibilitySchedule.ReadWrite.Directory"
+        return $null
+    }
+
     $roles = Get-MtRole -CisaHighlyPrivilegedRoles
     $roleAssignments = @()
 

diff --git a/powershell/public/cisa/entra/Test-MtCisaGuestInvitation.ps1 b/powershell/public/cisa/entra/Test-MtCisaGuestInvitation.ps1
@@ -18,6 +18,11 @@ function Test-MtCisaGuestInvitation {
     [OutputType([bool])]
     param()
 
+    if(!(Test-MtConnection Graph)){
+        Add-MtTestResultDetail -SkippedBecause NotConnectedGraph
+        return $null
+    }
+
     $result = Invoke-MtGraphRequest -RelativeUri "policies/authorizationPolicy" -ApiVersion v1.0
 
     $testResult = $result.allowInvitesFrom -eq "adminsAndGuestInviters"

diff --git a/powershell/public/cisa/entra/Test-MtCisaGuestUserAccess.ps1 b/powershell/public/cisa/entra/Test-MtCisaGuestUserAccess.ps1
@@ -18,6 +18,11 @@ function Test-MtCisaGuestUserAccess {
     [OutputType([bool])]
     param()
 
+    if(!(Test-MtConnection Graph)){
+        Add-MtTestResultDetail -SkippedBecause NotConnectedGraph
+        return $null
+    }
+
     $guestRoles = @(
         @{
             Id               = "a0b1b346-4d3e-4e8b-98f8-753987be4970"

diff --git a/powershell/public/cisa/entra/Test-MtCisaManagedDevice.ps1 b/powershell/public/cisa/entra/Test-MtCisaManagedDevice.ps1
@@ -21,6 +21,17 @@ function Test-MtCisaManagedDevice {
         [switch]$SkipHybridJoinCheck
     )
 
+    if(!(Test-MtConnection Graph)){
+        Add-MtTestResultDetail -SkippedBecause NotConnectedGraph
+        return $null
+    }
+
+    $EntraIDPlan = Get-MtLicenseInformation -Product EntraID
+    if($EntraIDPlan -eq "Free"){
+        Add-MtTestResultDetail -SkippedBecause NotLicensedEntraIDP1
+        return $null
+    }
+
     $result = Get-MtConditionalAccessPolicy
 
     if($SkipHybridJoinCheck){

diff --git a/powershell/public/cisa/entra/Test-MtCisaManagedDeviceRegistration.ps1 b/powershell/public/cisa/entra/Test-MtCisaManagedDeviceRegistration.ps1
@@ -21,6 +21,17 @@ function Test-MtCisaManagedDeviceRegistration {
         [switch]$SkipHybridJoinCheck
     )
 
+    if(!(Test-MtConnection Graph)){
+        Add-MtTestResultDetail -SkippedBecause NotConnectedGraph
+        return $null
+    }
+
+    $EntraIDPlan = Get-MtLicenseInformation -Product EntraID
+    if($EntraIDPlan -eq "Free"){
+        Add-MtTestResultDetail -SkippedBecause NotLicensedEntraIDP1
+        return $null
+    }
+
     $result = Get-MtConditionalAccessPolicy
 
     if($SkipHybridJoinCheck){

diff --git a/powershell/public/cisa/entra/Test-MtCisaMethodsMigration.ps1 b/powershell/public/cisa/entra/Test-MtCisaMethodsMigration.ps1
@@ -18,6 +18,17 @@ function Test-MtCisaMethodsMigration {
     [OutputType([bool])]
     param()
 
+    if(!(Test-MtConnection Graph)){
+        Add-MtTestResultDetail -SkippedBecause NotConnectedGraph
+        return $null
+    }
+
+    $EntraIDPlan = Get-MtLicenseInformation -Product EntraID
+    if($EntraIDPlan -eq "Free"){
+        Add-MtTestResultDetail -SkippedBecause NotLicensedEntraIDP1
+        return $null
+    }
+
     #4/28/2024 - Select OData query option not supported
     $result = Invoke-MtGraphRequest -RelativeUri "policies/authenticationmethodspolicy" -ApiVersion "v1.0"
 

diff --git a/powershell/public/cisa/entra/Test-MtCisaMfa.ps1 b/powershell/public/cisa/entra/Test-MtCisaMfa.ps1
@@ -18,6 +18,20 @@ function Test-MtCisaMfa {
     [OutputType([bool])]
     param()
 
+    if(!(Test-MtConnection Graph)){
+        Add-MtTestResultDetail -SkippedBecause NotConnectedGraph
+        return $null
+    }
+
+    $EntraIDPlan = Get-MtLicenseInformation -Product EntraID
+    if($EntraIDPlan -eq "Free"){
+        Add-MtTestResultDetail -SkippedBecause NotLicensedEntraIDP1
+        return $null
+    }elseif(Test-MtCisaPhishResistant){
+        Add-MtTestResultDetail -SkippedBecause Custom -SkippedCustomReason "Test-MtCisaPhishResistant Passed"
+        return $null
+    }
+
     $result = Get-MtConditionalAccessPolicy
 
     $policies = $result | Where-Object {`

diff --git a/powershell/public/cisa/entra/Test-MtCisaNotifyHighRisk.ps1 b/powershell/public/cisa/entra/Test-MtCisaNotifyHighRisk.ps1
@@ -22,6 +22,17 @@ function Test-MtCisaNotifyHighRisk {
     [OutputType([bool])]
     param()
 
+    if(!(Test-MtConnection Graph)){
+        Add-MtTestResultDetail -SkippedBecause NotConnectedGraph
+        return $null
+    }
+
+    $EntraIDPlan = Get-MtLicenseInformation -Product EntraID
+    if($EntraIDPlan -ne "P2"){
+        Add-MtTestResultDetail -SkippedBecause NotLicensedEntraIDP2
+        return $null
+    }
+
     #Connect-MgGraph -UseDeviceCode -Scopes IdentityRiskEvent.Read.All
     $result = Invoke-MtGraphRequest -RelativeUri "identityProtection/settings/notifications" -ApiVersion "beta"
 

diff --git a/powershell/public/cisa/entra/Test-MtCisaPasswordExpiration.ps1 b/powershell/public/cisa/entra/Test-MtCisaPasswordExpiration.ps1
@@ -18,6 +18,11 @@ function Test-MtCisaPasswordExpiration {
     [OutputType([bool])]
     param()
 
+    if(!(Test-MtConnection Graph)){
+        Add-MtTestResultDetail -SkippedBecause NotConnectedGraph
+        return $null
+    }
+
     $result = Invoke-MtGraphRequest -RelativeUri "domains" -ApiVersion v1.0
 
     #Would need to validate management API is configured

diff --git a/powershell/public/cisa/entra/Test-MtCisaPermanentRoleAssignment.ps1 b/powershell/public/cisa/entra/Test-MtCisaPermanentRoleAssignment.ps1
@@ -18,10 +18,16 @@ function Test-MtCisaPermanentRoleAssignment {
     [OutputType([bool])]
     param()
 
+    if(!(Test-MtConnection Graph)){
+        Add-MtTestResultDetail -SkippedBecause NotConnectedGraph
+        return $null
+    }
+
     $EntraIDPlan = Get-MtLicenseInformation -Product EntraID
     $pim = $EntraIDPlan -eq "P2" -or $EntraIDPlan -eq "Governance"
     if(-not $pim){
-        return $false
+        Add-MtTestResultDetail -SkippedBecause NotLicensedEntraIDP2
+        return $null
     }
 
     $roles = Get-MtRole -CisaHighlyPrivilegedRoles

diff --git a/powershell/public/cisa/entra/Test-MtCisaPhishResistant.ps1 b/powershell/public/cisa/entra/Test-MtCisaPhishResistant.ps1
@@ -18,6 +18,17 @@ function Test-MtCisaPhishResistant {
     [OutputType([bool])]
     param()
 
+    if(!(Test-MtConnection Graph)){
+        Add-MtTestResultDetail -SkippedBecause NotConnectedGraph
+        return $null
+    }
+
+    $EntraIDPlan = Get-MtLicenseInformation -Product EntraID
+    if($EntraIDPlan -eq "Free"){
+        Add-MtTestResultDetail -SkippedBecause NotLicensedEntraIDP1
+        return $null
+    }
+
     $result = Get-MtConditionalAccessPolicy
 
     $policies = $result | Where-Object {`

diff --git a/powershell/public/cisa/entra/Test-MtCisaPrivilegedPhishResistant.ps1 b/powershell/public/cisa/entra/Test-MtCisaPrivilegedPhishResistant.ps1
@@ -18,6 +18,17 @@ function Test-MtCisaPrivilegedPhishResistant {
     [OutputType([bool])]
     param()
 
+    if(!(Test-MtConnection Graph)){
+        Add-MtTestResultDetail -SkippedBecause NotConnectedGraph
+        return $null
+    }
+
+    $EntraIDPlan = Get-MtLicenseInformation -Product EntraID
+    if($EntraIDPlan -eq "Free"){
+        Add-MtTestResultDetail -SkippedBecause NotLicensedEntraIDP1
+        return $null
+    }
+
     $highlyPrivilegedRoles = Get-MtRole -CisaHighlyPrivilegedRoles
 
     $result = Get-MtConditionalAccessPolicy