From c7090ef18e15e6517e6f909b15376910f528c38a Mon Sep 17 00:00:00 2001 From: Snozz Date: Sat, 13 Jul 2024 18:07:08 -0700 Subject: [PATCH 01/29] Fixes AAD 4.1 --- .../Entra/Test-MtCisaDiagnosticSettings.Tests.ps1 | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/tests/CISA/Entra/Test-MtCisaDiagnosticSettings.Tests.ps1 b/tests/CISA/Entra/Test-MtCisaDiagnosticSettings.Tests.ps1 index e5504eb5..db58a8bc 100644 --- a/tests/CISA/Entra/Test-MtCisaDiagnosticSettings.Tests.ps1 +++ b/tests/CISA/Entra/Test-MtCisaDiagnosticSettings.Tests.ps1 @@ -1,9 +1,9 @@ -BeforeAll { - $azureSession = Test-MtConnection -Service Azure -} - -Describe "CISA SCuBA" -Tag "MS.AAD", "MS.AAD.4.1", "CISA", "Security", "All" -Skip:((-not $azureSession)) { +Describe "CISA SCuBA" -Tag "MS.AAD", "MS.AAD.4.1", "CISA", "Security", "All" { It "MS.AAD.4.1: Security logs SHALL be sent to the agency's security operations center for monitoring." { - Test-MtCisaDiagnosticSettings | Should -Be $true -Because "diagnostic settings are configured for all logs." + $cisaDiagnosticSettings = Test-MtCisaDiagnosticSettings + + if ($null -ne $cisaDiagnosticSettings) { + $cisaDiagnosticSettings | Should -Be $true -Because "diagnostic settings are configured for all logs." + } } } \ No newline at end of file From 0dc380d77234af7a04fdaf7fe8893b52667f1105 Mon Sep 17 00:00:00 2001 From: Snozz Date: Sat, 13 Jul 2024 18:07:13 -0700 Subject: [PATCH 02/29] Fixes AAD 4.1 --- .../public/CISA/Entra/Test-MtCisaDiagnosticSettings.ps1 | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/powershell/public/CISA/Entra/Test-MtCisaDiagnosticSettings.ps1 b/powershell/public/CISA/Entra/Test-MtCisaDiagnosticSettings.ps1 index ab0476d1..06d272e7 100644 --- a/powershell/public/CISA/Entra/Test-MtCisaDiagnosticSettings.ps1 +++ b/powershell/public/CISA/Entra/Test-MtCisaDiagnosticSettings.ps1 @@ -19,6 +19,11 @@ Function Test-MtCisaDiagnosticSettings { [OutputType([bool])] param() + if(!(Test-MtConnection Azure)){ + Add-MtTestResultDetail -SkippedBecause NotConnectedAzure + return $null + } + $logs = Invoke-AzRestMethod -Path "/providers/microsoft.aadiam/diagnosticSettingsCategories?api-version=2017-04-01-preview" $logs = ($logs.Content|ConvertFrom-Json).value $logs = ($logs | Where-Object { ` From 51192024f7b5fede85ca9b515e0bd66e1c92c551 Mon Sep 17 00:00:00 2001 From: Snozz Date: Sat, 13 Jul 2024 18:10:13 -0700 Subject: [PATCH 03/29] Random space --- powershell/internal/Get-GraphObjectMarkdown.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/powershell/internal/Get-GraphObjectMarkdown.ps1 b/powershell/internal/Get-GraphObjectMarkdown.ps1 index 7e280baf..0298f6f3 100644 --- a/powershell/internal/Get-GraphObjectMarkdown.ps1 +++ b/powershell/internal/Get-GraphObjectMarkdown.ps1 @@ -33,7 +33,7 @@ Function Get-GraphObjectMarkdown { AuthorizationPolicy = "https://entra.microsoft.com/#view/Microsoft_AAD_UsersAndTenants/UserManagementMenuBlade/~/UserSettings/menuId/UserSettings" ConditionalAccess = "https://entra.microsoft.com/#view/Microsoft_AAD_ConditionalAccess/PolicyBlade/policyId/{0}" ConsentPolicy = "https://entra.microsoft.com/#view/Microsoft_AAD_IAM/ConsentPoliciesMenuBlade/~/UserSettings" - Devices = "https://entra.microsoft.com/#view/Microsoft_AAD_Devices/DeviceDetailsMenuBlade/~/Properties/objectId/{0}" + Devices = "https://entra.microsoft.com/#view/Microsoft_AAD_Devices/DeviceDetailsMenuBlade/~/Properties/objectId/{0}" DiagnosticSettings = "https://entra.microsoft.com/#view/Microsoft_AAD_IAM/DiagnosticSettingsMenuBlade/~/General" Domains = "https://entra.microsoft.com/#view/Microsoft_AAD_IAM/DomainsManagementMenuBlade/~/CustomDomainNames" Groups = "https://entra.microsoft.com/#view/Microsoft_AAD_IAM/GroupDetailsMenuBlade/~/Overview/groupId/{0}" From 9548a73e432285074512f79483973758b0f16f8c Mon Sep 17 00:00:00 2001 From: Snozz Date: Sat, 13 Jul 2024 18:25:43 -0700 Subject: [PATCH 04/29] Update AAD 4.1 to use result MD from test --- .../internal/Get-GraphObjectMarkdown.ps1 | 3 +- powershell/public/Add-MtTestResultDetail.ps1 | 2 +- .../Entra/Test-MtCisaDiagnosticSettings.ps1 | 30 +++++++++++++++++-- 3 files changed, 29 insertions(+), 6 deletions(-) diff --git a/powershell/internal/Get-GraphObjectMarkdown.ps1 b/powershell/internal/Get-GraphObjectMarkdown.ps1 index 0298f6f3..603e9094 100644 --- a/powershell/internal/Get-GraphObjectMarkdown.ps1 +++ b/powershell/internal/Get-GraphObjectMarkdown.ps1 @@ -23,7 +23,7 @@ Function Get-GraphObjectMarkdown { # The type of graph object, this will be used to show the right deeplink to the test results report. [Parameter(Mandatory = $true)] [ValidateSet('AuthenticationMethod', 'AuthorizationPolicy', 'ConditionalAccess', 'ConsentPolicy', - 'Devices', 'DiagnosticSettings', 'Domains', 'Groups', 'IdentityProtection', 'Users', 'UserRole' + 'Devices', 'Domains', 'Groups', 'IdentityProtection', 'Users', 'UserRole' )] [string] $GraphObjectType ) @@ -34,7 +34,6 @@ Function Get-GraphObjectMarkdown { ConditionalAccess = "https://entra.microsoft.com/#view/Microsoft_AAD_ConditionalAccess/PolicyBlade/policyId/{0}" ConsentPolicy = "https://entra.microsoft.com/#view/Microsoft_AAD_IAM/ConsentPoliciesMenuBlade/~/UserSettings" Devices = "https://entra.microsoft.com/#view/Microsoft_AAD_Devices/DeviceDetailsMenuBlade/~/Properties/objectId/{0}" - DiagnosticSettings = "https://entra.microsoft.com/#view/Microsoft_AAD_IAM/DiagnosticSettingsMenuBlade/~/General" Domains = "https://entra.microsoft.com/#view/Microsoft_AAD_IAM/DomainsManagementMenuBlade/~/CustomDomainNames" Groups = "https://entra.microsoft.com/#view/Microsoft_AAD_IAM/GroupDetailsMenuBlade/~/Overview/groupId/{0}" IdentityProtection = "https://entra.microsoft.com/#view/Microsoft_AAD_IAM/IdentityProtectionMenuBlade/~/UsersAtRiskAlerts/fromNav/Identity" diff --git a/powershell/public/Add-MtTestResultDetail.ps1 b/powershell/public/Add-MtTestResultDetail.ps1 index f22125e7..375d2ba9 100644 --- a/powershell/public/Add-MtTestResultDetail.ps1 +++ b/powershell/public/Add-MtTestResultDetail.ps1 @@ -53,7 +53,7 @@ Function Add-MtTestResultDetail { # The type of graph object, this will be used to show the right deeplink to the test results report. [ValidateSet('AuthenticationMethod', 'AuthorizationPolicy', 'ConditionalAccess', 'ConsentPolicy', - 'Devices', 'DiagnosticSettings', 'Domains', 'Groups', 'IdentityProtection', 'Users', 'UserRole' + 'Devices', 'Domains', 'Groups', 'IdentityProtection', 'Users', 'UserRole' )] [string] $GraphObjectType, diff --git a/powershell/public/CISA/Entra/Test-MtCisaDiagnosticSettings.ps1 b/powershell/public/CISA/Entra/Test-MtCisaDiagnosticSettings.ps1 index 06d272e7..aaecaada 100644 --- a/powershell/public/CISA/Entra/Test-MtCisaDiagnosticSettings.ps1 +++ b/powershell/public/CISA/Entra/Test-MtCisaDiagnosticSettings.ps1 @@ -58,14 +58,38 @@ Function Test-MtCisaDiagnosticSettings { $actual["$_"] -eq $false } | Sort-Object + $array = $actual.Keys | ForEach-Object { ` + [pscustomobject]@{ + Log = "$_" + Enabled = "$($actual[$_])" + } + } + $testResult = $unsetLogs.Count -eq 0 + $link = "https://entra.microsoft.com/#view/Microsoft_AAD_IAM/DiagnosticSettingsMenuBlade/~/General" + $resultFail = "❌ Fail" + $resultPass = "✅ Pass" + if ($testResult) { - $testResultMarkdown = "Well done. Your tenant has diagnostic settings configured for all logs." + $testResultMarkdown = "Well done. Your tenant has [diagnostic settings]($link) configured for all logs." } else { - $testResultMarkdown = "Your tenant does not have diagnostic settings configured for all logs:`n`n%unsetLogs%" + $testResultMarkdown = "Your tenant does not have [diagnostic settings]($link) configured for all logs:`n`n%TestResult%" } - Add-MtTestResultDetail -Result $testResultMarkdown -GraphObjectType DiagnosticSettings + + $result = "| Log Name | Result |" + $result += "| --- | --- |" + + foreach ($item in $array) { + $itemResult = $resultFail + if($item.Enabled){ + $itemResult = $resultPass + } + $result += "| $($item.Log) | $($itemResult) |`n" + } + $testResultMarkdown = $testResultMarkdown -replace "%TestResult%", $result + + Add-MtTestResultDetail -Result $testResultMarkdown return $testResult } \ No newline at end of file From 7d53bfaa1ec4da1fa794be37f5c53be2360bfdd3 Mon Sep 17 00:00:00 2001 From: Snozz Date: Sat, 13 Jul 2024 18:29:22 -0700 Subject: [PATCH 05/29] Tweak MD and fix cast to bool --- .../public/CISA/Entra/Test-MtCisaDiagnosticSettings.ps1 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/powershell/public/CISA/Entra/Test-MtCisaDiagnosticSettings.ps1 b/powershell/public/CISA/Entra/Test-MtCisaDiagnosticSettings.ps1 index aaecaada..58e8123e 100644 --- a/powershell/public/CISA/Entra/Test-MtCisaDiagnosticSettings.ps1 +++ b/powershell/public/CISA/Entra/Test-MtCisaDiagnosticSettings.ps1 @@ -61,7 +61,7 @@ Function Test-MtCisaDiagnosticSettings { $array = $actual.Keys | ForEach-Object { ` [pscustomobject]@{ Log = "$_" - Enabled = "$($actual[$_])" + Enabled = $($actual[$_]) } } @@ -77,8 +77,8 @@ Function Test-MtCisaDiagnosticSettings { $testResultMarkdown = "Your tenant does not have [diagnostic settings]($link) configured for all logs:`n`n%TestResult%" } - $result = "| Log Name | Result |" - $result += "| --- | --- |" + $result = "| Log Name | Result |`n" + $result += "| --- | --- |`n" foreach ($item in $array) { $itemResult = $resultFail From 70c465b411e0046ada56fc57d851e22a48997161 Mon Sep 17 00:00:00 2001 From: Snozz Date: Sat, 13 Jul 2024 18:41:45 -0700 Subject: [PATCH 06/29] Added skipped because graph --- powershell/internal/Get-MtSkippedReason.ps1 | 3 ++- powershell/public/Add-MtTestResultDetail.ps1 | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/powershell/internal/Get-MtSkippedReason.ps1 b/powershell/internal/Get-MtSkippedReason.ps1 index 3572a0eb..893196da 100644 --- a/powershell/internal/Get-MtSkippedReason.ps1 +++ b/powershell/internal/Get-MtSkippedReason.ps1 @@ -9,9 +9,10 @@ function Get-MtSkippedReason { ) switch($SkippedBecause){ - "NotConnectedAzure" { "Not connected to Azure. See [Connecting to Azure](https://maester.dev/docs/installation#optional-modules-and-permissions)" ; break} + "NotConnectedAzure" { "Not connected to Azure. See [Connecting to Azure](https://maester.dev/docs/installation#optional-modules-and-permissions)"; break} "NotConnectedExchange" { "Not connected to Exchange Online. See [Connecting to Exchange Online](https://maester.dev/docs/installation#optional-modules-and-permissions)"; break} "NotConnectedSecurityCompliance" { "Not connected to Security & Compliance. See [Connecting to Security & Compliance](https://maester.dev/docs/installation#optional-modules-and-permissions)"; break} + "NotConnectedGraph" { "Not connected to Graph. See [Connect-Maester](https://maester.dev/docs/commands/Connect-Maester#examples)"; break} "NotDotGovDomain" { "This test is only for federal, executive branch, departments and agencies. To override use [Test-MtCisaDmarcAggregateCisa -Force](https://maester.dev/docs/commands/Test-MtCisaDmarcAggregateCisa)"; break} "NotLicensedEntraIDP1" { "This test is for tenants that are licensed for Entra ID P1. See [Entra ID licensing](https://learn.microsoft.com/entra/fundamentals/licensing)"; break} "NotLicensedEntraIDP2" { "This test is for tenants that are licensed for Entra ID P2. See [Entra ID licensing](https://learn.microsoft.com/entra/fundamentals/licensing)"; break} diff --git a/powershell/public/Add-MtTestResultDetail.ps1 b/powershell/public/Add-MtTestResultDetail.ps1 index 375d2ba9..cb471c48 100644 --- a/powershell/public/Add-MtTestResultDetail.ps1 +++ b/powershell/public/Add-MtTestResultDetail.ps1 @@ -62,7 +62,7 @@ Function Add-MtTestResultDetail { [Parameter(Mandatory = $false)] [string] $TestName = $____Pester.CurrentTest.ExpandedName, - [ValidateSet('NotConnectedAzure', 'NotConnectedExchange', 'NotDotGovDomain', 'NotLicensedEntraIDP1', 'NotConnectedSecurityCompliance', + [ValidateSet('NotConnectedAzure', 'NotConnectedExchange', 'NotConnectedGraph', 'NotDotGovDomain', 'NotLicensedEntraIDP1', 'NotConnectedSecurityCompliance', 'NotLicensedEntraIDP2', 'NotLicensedEntraIDGovernance', 'NotLicensedEntraWorkloadID', "LicensedEntraIDPremium", 'NotSupported' )] [string] $SkippedBecause From 41631bf3f0048e7a980d3d5995823a21e2544178 Mon Sep 17 00:00:00 2001 From: Snozz Date: Sat, 13 Jul 2024 18:55:17 -0700 Subject: [PATCH 07/29] Fix AAD 3.3 results --- .../CISA/Entra/Test-MtCisaAuthenticatorContext.ps1 | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/powershell/public/CISA/Entra/Test-MtCisaAuthenticatorContext.ps1 b/powershell/public/CISA/Entra/Test-MtCisaAuthenticatorContext.ps1 index 0f5e145d..2d45acf6 100644 --- a/powershell/public/CISA/Entra/Test-MtCisaAuthenticatorContext.ps1 +++ b/powershell/public/CISA/Entra/Test-MtCisaAuthenticatorContext.ps1 @@ -17,6 +17,11 @@ Function Test-MtCisaAuthenticatorContext { [OutputType([bool])] param() + if(!(Test-MtConnection Graph)){ + Add-MtTestResultDetail -SkippedBecause NotConnectedGraph + return $null + } + $result = Get-MtAuthenticationMethodPolicyConfig $policies = $result | Where-Object {` @@ -31,12 +36,15 @@ Function Test-MtCisaAuthenticatorContext { $testResult = ($policies|Measure-Object).Count -ge 1 + $link = "https://entra.microsoft.com/#view/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/~/AdminAuthMethods/fromNav/Identity" + if ($testResult) { - $testResultMarkdown = "Well done. Your tenant has the Authentication Methods policy for Microsoft Authenticator set appropriately:`n`n%TestResult%" + $testResultMarkdown = "Well done. Your tenant has the [Authentication Methods]($link) policy for Microsoft Authenticator set appropriately." } else { - $testResultMarkdown = "Your tenant does not have the Authentication Methods policy for Microsoft Authenticator set appropriately." + $testResultMarkdown = "Your tenant does not have the [Authentication Methods]($link) policy for Microsoft Authenticator set appropriately." } - Add-MtTestResultDetail -Result $testResultMarkdown -GraphObjectType AuthenticationMethod -GraphObjects $policies + + Add-MtTestResultDetail -Result $testResultMarkdown return $testResult } \ No newline at end of file From 9a7575b5748eb910f912c7440c2c30bd497068a5 Mon Sep 17 00:00:00 2001 From: Snozz Date: Sat, 13 Jul 2024 19:01:38 -0700 Subject: [PATCH 08/29] Update skip --- .../CISA/Entra/Test-MtCisaActivationNotification.ps1 | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/powershell/public/CISA/Entra/Test-MtCisaActivationNotification.ps1 b/powershell/public/CISA/Entra/Test-MtCisaActivationNotification.ps1 index 0aeacd14..b0bf2bbf 100644 --- a/powershell/public/CISA/Entra/Test-MtCisaActivationNotification.ps1 +++ b/powershell/public/CISA/Entra/Test-MtCisaActivationNotification.ps1 @@ -27,8 +27,16 @@ Function Test-MtCisaActivationNotification { $EntraIDPlan = Get-MtLicenseInformation -Product EntraID $pim = $EntraIDPlan -eq "P2" -or $EntraIDPlan -eq "Governance" - if(-not $pim){ - return $false + if(!(Test-MtConnection Graph)){ + Add-MtTestResultDetail -SkippedBecause NotConnectedGraph + return $null + }elseif(-not $pim){ + if($EntraIDPlan -ne "P2"){ + Add-MtTestResultDetail -SkippedBecause NotLicensedEntraIDP2 + }elseif($EntraIDPlan -ne "Governance"){ + Add-MtTestResultDetail -SkippedBecause NotLicensedEntraIDGovernance + } + return $null } $roles = Get-MtRole -CisaHighlyPrivilegedRoles From c15565e955f8aea0b6390ab2ab16b655aa98ce43 Mon Sep 17 00:00:00 2001 From: Snozz Date: Sat, 13 Jul 2024 19:04:00 -0700 Subject: [PATCH 09/29] Fix tests --- ...MtCisaActivationNotificationGlobalAdmin.Tests.ps1 | 12 ++++++------ .../Test-MtCisaActivationNotificationOther.Tests.ps1 | 12 ++++++------ 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/tests/CISA/Entra/Test-MtCisaActivationNotificationGlobalAdmin.Tests.ps1 b/tests/CISA/Entra/Test-MtCisaActivationNotificationGlobalAdmin.Tests.ps1 index f1e13d5f..bc6ec5f9 100644 --- a/tests/CISA/Entra/Test-MtCisaActivationNotificationGlobalAdmin.Tests.ps1 +++ b/tests/CISA/Entra/Test-MtCisaActivationNotificationGlobalAdmin.Tests.ps1 @@ -1,9 +1,9 @@ -BeforeDiscovery { - $EntraIDPlan = Get-MtLicenseInformation -Product EntraID -} - -Describe "CISA SCuBA" -Tag "MS.AAD", "MS.AAD.7.8", "CISA", "Security", "All" -Skip:( $EntraIDPlan -eq "Free" ) { +Describe "CISA SCuBA" -Tag "MS.AAD", "MS.AAD.7.8", "CISA", "Security", "All" { It "MS.AAD.7.8: User activation of the Global Administrator role SHALL trigger an alert." { - Test-MtCisaActivationNotification -GlobalAdminOnly | Should -Be $true -Because "notifications are set for activation of the Global Admin role." + $result = Test-MtCisaActivationNotification + + if ($null -ne $result) { + $result | Should -Be $true -Because "notifications are set for activation of the Global Admin role." + } } } \ No newline at end of file diff --git a/tests/CISA/Entra/Test-MtCisaActivationNotificationOther.Tests.ps1 b/tests/CISA/Entra/Test-MtCisaActivationNotificationOther.Tests.ps1 index 191aa32c..cb4e341e 100644 --- a/tests/CISA/Entra/Test-MtCisaActivationNotificationOther.Tests.ps1 +++ b/tests/CISA/Entra/Test-MtCisaActivationNotificationOther.Tests.ps1 @@ -1,9 +1,9 @@ -BeforeDiscovery { - $EntraIDPlan = Get-MtLicenseInformation -Product EntraID -} - -Describe "CISA SCuBA" -Tag "MS.AAD", "MS.AAD.7.9", "CISA", "Security", "All" -Skip:( $EntraIDPlan -eq "Free" ) { +Describe "CISA SCuBA" -Tag "MS.AAD", "MS.AAD.7.9", "CISA", "Security", "All" { It "MS.AAD.7.9: User activation of other highly privileged roles SHOULD trigger an alert." { - Test-MtCisaActivationNotification -GlobalAdminOnly | Should -Be $true -Because "notifications are set for activation of highly privileged roles." + $result = Test-MtCisaActivationNotification -GlobalAdminOnly + + if ($null -ne $result) { + $result | Should -Be $true -Because "notifications are set for activation of the Global Admin role." + } } } \ No newline at end of file From 3fa3ed5959f9418ddc2acc8e7f53cdbfca3ad2ba Mon Sep 17 00:00:00 2001 From: Snozz Date: Sat, 13 Jul 2024 19:09:47 -0700 Subject: [PATCH 10/29] Fix tests --- .../Entra/Test-MtCisaActivationNotification.ps1 | 5 ++--- ...saActivationNotificationGlobalAdmin.Tests.ps1 | 2 +- ...t-MtCisaActivationNotificationOther.Tests.ps1 | 4 ++-- .../Test-MtCisaAuthenticatorContext.Tests.ps1 | 16 ++++++---------- 4 files changed, 11 insertions(+), 16 deletions(-) diff --git a/powershell/public/CISA/Entra/Test-MtCisaActivationNotification.ps1 b/powershell/public/CISA/Entra/Test-MtCisaActivationNotification.ps1 index b0bf2bbf..ca730479 100644 --- a/powershell/public/CISA/Entra/Test-MtCisaActivationNotification.ps1 +++ b/powershell/public/CISA/Entra/Test-MtCisaActivationNotification.ps1 @@ -25,12 +25,11 @@ Function Test-MtCisaActivationNotification { [switch]$GlobalAdminOnly ) - $EntraIDPlan = Get-MtLicenseInformation -Product EntraID - $pim = $EntraIDPlan -eq "P2" -or $EntraIDPlan -eq "Governance" if(!(Test-MtConnection Graph)){ Add-MtTestResultDetail -SkippedBecause NotConnectedGraph return $null - }elseif(-not $pim){ + }else{ + $EntraIDPlan = Get-MtLicenseInformation -Product EntraID if($EntraIDPlan -ne "P2"){ Add-MtTestResultDetail -SkippedBecause NotLicensedEntraIDP2 }elseif($EntraIDPlan -ne "Governance"){ diff --git a/tests/CISA/Entra/Test-MtCisaActivationNotificationGlobalAdmin.Tests.ps1 b/tests/CISA/Entra/Test-MtCisaActivationNotificationGlobalAdmin.Tests.ps1 index bc6ec5f9..366cd04c 100644 --- a/tests/CISA/Entra/Test-MtCisaActivationNotificationGlobalAdmin.Tests.ps1 +++ b/tests/CISA/Entra/Test-MtCisaActivationNotificationGlobalAdmin.Tests.ps1 @@ -1,6 +1,6 @@ Describe "CISA SCuBA" -Tag "MS.AAD", "MS.AAD.7.8", "CISA", "Security", "All" { It "MS.AAD.7.8: User activation of the Global Administrator role SHALL trigger an alert." { - $result = Test-MtCisaActivationNotification + $result = Test-MtCisaActivationNotification -GlobalAdminOnly if ($null -ne $result) { $result | Should -Be $true -Because "notifications are set for activation of the Global Admin role." diff --git a/tests/CISA/Entra/Test-MtCisaActivationNotificationOther.Tests.ps1 b/tests/CISA/Entra/Test-MtCisaActivationNotificationOther.Tests.ps1 index cb4e341e..d9560475 100644 --- a/tests/CISA/Entra/Test-MtCisaActivationNotificationOther.Tests.ps1 +++ b/tests/CISA/Entra/Test-MtCisaActivationNotificationOther.Tests.ps1 @@ -1,9 +1,9 @@ Describe "CISA SCuBA" -Tag "MS.AAD", "MS.AAD.7.9", "CISA", "Security", "All" { It "MS.AAD.7.9: User activation of other highly privileged roles SHOULD trigger an alert." { - $result = Test-MtCisaActivationNotification -GlobalAdminOnly + $result = Test-MtCisaActivationNotification if ($null -ne $result) { - $result | Should -Be $true -Because "notifications are set for activation of the Global Admin role." + $result | Should -Be $true -Because "notifications are set for activation of highly privileged roles." } } } \ No newline at end of file diff --git a/tests/CISA/Entra/Test-MtCisaAuthenticatorContext.Tests.ps1 b/tests/CISA/Entra/Test-MtCisaAuthenticatorContext.Tests.ps1 index 8ed37819..b7e73c24 100644 --- a/tests/CISA/Entra/Test-MtCisaAuthenticatorContext.Tests.ps1 +++ b/tests/CISA/Entra/Test-MtCisaAuthenticatorContext.Tests.ps1 @@ -1,13 +1,9 @@ -BeforeDiscovery { - $EntraIDPlan = Get-MtLicenseInformation -Product EntraID - - $result = Get-MtAuthenticationMethodPolicyConfig - - $authenticator = $result | Where-Object { $_.id -eq "MicrosoftAuthenticator" } -} - -Describe "CISA SCuBA" -Tag "MS.AAD", "MS.AAD.3.3", "CISA", "Security", "All" -Skip:( ($EntraIDPlan -eq "Free") -or (Test-MtCisaPhishResistant) -or $authenticator.state -eq "disabled") { +Describe "CISA SCuBA" -Tag "MS.AAD", "MS.AAD.3.3", "CISA", "Security", "All" { It "MS.AAD.3.3: If phishing-resistant MFA has not been enforced and Microsoft Authenticator is enabled, it SHALL be configured to show login context information." { - Test-MtCisaAuthenticatorContext | Should -Be $true -Because "Microsoft Authenticator is configured to show login context information." + $result = Test-MtCisaAuthenticatorContext + + if ($null -ne $result) { + $result | Should -Be $true -Because "Microsoft Authenticator is configured to show login context information." + } } } \ No newline at end of file From 5eeb08c066421c375ed55887aa336c572da241da Mon Sep 17 00:00:00 2001 From: Snozz Date: Sat, 13 Jul 2024 19:18:13 -0700 Subject: [PATCH 11/29] Cleanup dependency --- .../Entra/Test-MtCisaAuthenticatorContext.ps1 | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/powershell/public/CISA/Entra/Test-MtCisaAuthenticatorContext.ps1 b/powershell/public/CISA/Entra/Test-MtCisaAuthenticatorContext.ps1 index 2d45acf6..8f3cfc32 100644 --- a/powershell/public/CISA/Entra/Test-MtCisaAuthenticatorContext.ps1 +++ b/powershell/public/CISA/Entra/Test-MtCisaAuthenticatorContext.ps1 @@ -22,6 +22,8 @@ Function Test-MtCisaAuthenticatorContext { return $null } + $isMethodsMigrationComplete = Test-MtCisaMethodsMigration + $result = Get-MtAuthenticationMethodPolicyConfig $policies = $result | Where-Object {` @@ -34,15 +36,25 @@ Function Test-MtCisaAuthenticatorContext { $_.featureSettings.displayLocationInformationRequiredState.state -eq "enabled" -and ` $_.featureSettings.displayLocationInformationRequiredState.includeTarget.id -contains "all_users" } - $testResult = ($policies|Measure-Object).Count -ge 1 + $testResult = (($policies|Measure-Object).Count -ge 1) -and $isMethodsMigrationComplete $link = "https://entra.microsoft.com/#view/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/~/AdminAuthMethods/fromNav/Identity" if ($testResult) { - $testResultMarkdown = "Well done. Your tenant has the [Authentication Methods]($link) policy for Microsoft Authenticator set appropriately." + $testResultMarkdown = "Well done. Your tenant has the [Authentication Methods]($link) policy for Microsoft Authenticator set appropriately.`n`n%TestResult%" } else { - $testResultMarkdown = "Your tenant does not have the [Authentication Methods]($link) policy for Microsoft Authenticator set appropriately." + $testResultMarkdown = "Your tenant does not have the [Authentication Methods]($link) policy for Microsoft Authenticator set appropriately or migration to Authentication Methods is not complete.`n`n%TestResult%" + } + + $resultFail = "❌ Fail" + $resultPass = "✅ Pass" + if($isMethodsMigrationComplete){ + $migrationResult = $resultPass + }else{ + $migrationResult = $resultFail } + $result = "[Authentication Methods]($link) Migration Complete: $migrationResult" + $testResultMarkdown = $testResultMarkdown -replace "%TestResult%", $result Add-MtTestResultDetail -Result $testResultMarkdown From 990ac080a6f50d6758a3e2a6db77c2135f79ff33 Mon Sep 17 00:00:00 2001 From: Snozz Date: Sat, 13 Jul 2024 19:27:52 -0700 Subject: [PATCH 12/29] Updated results MD --- .../Test-MtCisaActivationNotification.ps1 | 21 +++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/powershell/public/CISA/Entra/Test-MtCisaActivationNotification.ps1 b/powershell/public/CISA/Entra/Test-MtCisaActivationNotification.ps1 index ca730479..27a6c1b9 100644 --- a/powershell/public/CISA/Entra/Test-MtCisaActivationNotification.ps1 +++ b/powershell/public/CISA/Entra/Test-MtCisaActivationNotification.ps1 @@ -81,11 +81,28 @@ Function Test-MtCisaActivationNotification { $testResult = ($misconfigured|Measure-Object).Count -eq 0 + $link = "https://entra.microsoft.com/#view/Microsoft_Azure_PIMCommon/ResourceMenuBlade/~/roles/resourceId//resourceType/tenant/provider/aadroles" + $resultFail = "❌ Fail" + $resultPass = "✅ Pass" + if ($testResult) { - $testResultMarkdown = "Well done. Your tenant has notifications for role activations:`n`n%TestResult%" + $testResultMarkdown = "Well done. Your tenant has notifications for [role activations]($link).`n`n%TestResult%" } else { - $testResultMarkdown = "Your tenant does not have notifications on role activations." + $testResultMarkdown = "Your tenant does not have notifications on [role activations]($link).`n`n%TestResult%" + } + + $result = "| Role Name | Result |`n" + $result += "| --- | --- |`n" + + foreach ($item in $rolePolicies) { + $itemResult = $resultFail + if($item.activationNotify){ + $itemResult = $resultPass + } + $result += "| $($item.role) | $($itemResult) |`n" } + $testResultMarkdown = $testResultMarkdown -replace "%TestResult%", $result + Add-MtTestResultDetail -Result $testResultMarkdown return $testResult From 27baf0c3ca0ca57bd21226c4cbc48df37afcf3bb Mon Sep 17 00:00:00 2001 From: Snozz Date: Sat, 13 Jul 2024 19:30:01 -0700 Subject: [PATCH 13/29] Fix AAD 8.3 --- tests/CISA/Entra/Test-MtCisaCrossTenantInboundDefault.Tests.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/CISA/Entra/Test-MtCisaCrossTenantInboundDefault.Tests.ps1 b/tests/CISA/Entra/Test-MtCisaCrossTenantInboundDefault.Tests.ps1 index e789ad68..3fdd8e20 100644 --- a/tests/CISA/Entra/Test-MtCisaCrossTenantInboundDefault.Tests.ps1 +++ b/tests/CISA/Entra/Test-MtCisaCrossTenantInboundDefault.Tests.ps1 @@ -1,5 +1,5 @@ Describe "CISA SCuBA" -Tag "MS.AAD", "MS.AAD.8.3", "CISA", "Security", "All" { It "MS.AAD.8.3: Guest invites SHOULD only be allowed to specific external domains that have been authorized by the agency for legitimate business purposes." { - Test-MtCisaCrossTenantInboundDefault -GlobalAdminOnly | Should -Be $true -Because "default inbound cross-tenant access policy is set to block." + Test-MtCisaCrossTenantInboundDefault | Should -Be $true -Because "default inbound cross-tenant access policy is set to block." } } \ No newline at end of file From bdc757e3e3c1dc40fcf20e61dbf2fcfc3284eda6 Mon Sep 17 00:00:00 2001 From: Snozz Date: Sat, 13 Jul 2024 19:36:15 -0700 Subject: [PATCH 14/29] Fix AAD 7.2 --- .../public/CISA/Entra/Test-MtCisaCloudGlobalAdmin.md | 3 --- .../public/CISA/Entra/Test-MtCisaGlobalAdminCount.md | 3 --- .../public/CISA/Entra/Test-MtCisaGlobalAdminRatio.md | 3 --- .../public/CISA/Entra/Test-MtCisaGlobalAdminRatio.ps1 | 11 +++++++---- 4 files changed, 7 insertions(+), 13 deletions(-) diff --git a/powershell/public/CISA/Entra/Test-MtCisaCloudGlobalAdmin.md b/powershell/public/CISA/Entra/Test-MtCisaCloudGlobalAdmin.md index 481f40a4..1a9f6fc5 100644 --- a/powershell/public/CISA/Entra/Test-MtCisaCloudGlobalAdmin.md +++ b/powershell/public/CISA/Entra/Test-MtCisaCloudGlobalAdmin.md @@ -14,8 +14,5 @@ Rationale: Many privileged administrative users do not need unfettered access to * [CISA 7.3 Highly Privileged User Access - MS.AAD.7.3v1](https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/baselines/aad.md#msaad73v1) * [CISA ScubaGear Rego Reference](https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/Rego/AADConfig.rego#L833) -#### Note -Current test only captures active role assignments: https://github.com/maester365/maester/issues/195 - %TestResult% diff --git a/powershell/public/CISA/Entra/Test-MtCisaGlobalAdminCount.md b/powershell/public/CISA/Entra/Test-MtCisaGlobalAdminCount.md index 7c5a7a22..9f7937c0 100644 --- a/powershell/public/CISA/Entra/Test-MtCisaGlobalAdminCount.md +++ b/powershell/public/CISA/Entra/Test-MtCisaGlobalAdminCount.md @@ -20,8 +20,5 @@ When counting the number of users assigned to the Global Administrator role, **c * [CISA 7.1 Highly Privileged User Access - MS.AAD.7.1v1](https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/baselines/aad.md#msaad71v1) * [CISA ScubaGear Rego Reference](https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/Rego/AADConfig.rego#L761) -#### Note -Current test only captures active role assignments: https://github.com/maester365/maester/issues/195 - %TestResult% diff --git a/powershell/public/CISA/Entra/Test-MtCisaGlobalAdminRatio.md b/powershell/public/CISA/Entra/Test-MtCisaGlobalAdminRatio.md index 9bbd708e..e62a7246 100644 --- a/powershell/public/CISA/Entra/Test-MtCisaGlobalAdminRatio.md +++ b/powershell/public/CISA/Entra/Test-MtCisaGlobalAdminRatio.md @@ -17,8 +17,5 @@ This policy is based on the ratio below: * [CISA 7.2 Highly Privileged User Access - MS.AAD.7.2v1](https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/baselines/aad.md#msaad72v1) * [CISA ScubaGear Rego Reference](https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/Rego/AADConfig.rego#L792) -#### Note -Current test only captures active role assignments: https://github.com/maester365/maester/issues/195 - %TestResult% diff --git a/powershell/public/CISA/Entra/Test-MtCisaGlobalAdminRatio.ps1 b/powershell/public/CISA/Entra/Test-MtCisaGlobalAdminRatio.ps1 index 1118c037..19dfab14 100644 --- a/powershell/public/CISA/Entra/Test-MtCisaGlobalAdminRatio.ps1 +++ b/powershell/public/CISA/Entra/Test-MtCisaGlobalAdminRatio.ps1 @@ -48,14 +48,17 @@ Function Test-MtCisaGlobalAdminRatio { $testResult = $false } - $users = $roleAssignments.assignments | Sort-Object id -Unique + $link = "https://entra.microsoft.com/#view/Microsoft_AAD_IAM/RolesManagementMenuBlade/~/AllRoles" if ($testResult) { - $testResultMarkdown = "Well done. Your tenant has more granular role assignments than global admin assignments:`n`n%TestResult%" + $testResultMarkdown = "Well done. Your tenant has more granular [role assignments]($link) than global admin assignments.`n`n%TestResult%" } else { - $testResultMarkdown = "Your tenant does not have enough granular role assignments." + $testResultMarkdown = "Your tenant does not have enough granular [role assignments]($link).`n`n%TestResult%" } - Add-MtTestResultDetail -Result $testResultMarkdown -GraphObjectType Users -GraphObjects $users + $result = "$ratio = $($globalAdministrators.Count) / $($otherAssignments.Count)" + $testResultMarkdown = $testResultMarkdown -replace "%TestResult%", $result + + Add-MtTestResultDetail -Result $testResultMarkdown return $testResult } \ No newline at end of file From 9a1b05754544bac9e00bf623840caf7bba142d17 Mon Sep 17 00:00:00 2001 From: Snozz Date: Sat, 13 Jul 2024 18:07:08 -0700 Subject: [PATCH 15/29] Fixes AAD 4.1 --- .../entra/Test-MtCisaDiagnosticSettings.Tests.ps1 | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/tests/cisa/entra/Test-MtCisaDiagnosticSettings.Tests.ps1 b/tests/cisa/entra/Test-MtCisaDiagnosticSettings.Tests.ps1 index e5504eb5..db58a8bc 100644 --- a/tests/cisa/entra/Test-MtCisaDiagnosticSettings.Tests.ps1 +++ b/tests/cisa/entra/Test-MtCisaDiagnosticSettings.Tests.ps1 @@ -1,9 +1,9 @@ -BeforeAll { - $azureSession = Test-MtConnection -Service Azure -} - -Describe "CISA SCuBA" -Tag "MS.AAD", "MS.AAD.4.1", "CISA", "Security", "All" -Skip:((-not $azureSession)) { +Describe "CISA SCuBA" -Tag "MS.AAD", "MS.AAD.4.1", "CISA", "Security", "All" { It "MS.AAD.4.1: Security logs SHALL be sent to the agency's security operations center for monitoring." { - Test-MtCisaDiagnosticSettings | Should -Be $true -Because "diagnostic settings are configured for all logs." + $cisaDiagnosticSettings = Test-MtCisaDiagnosticSettings + + if ($null -ne $cisaDiagnosticSettings) { + $cisaDiagnosticSettings | Should -Be $true -Because "diagnostic settings are configured for all logs." + } } } \ No newline at end of file From bbb663c6d8050009452237a1f98204a89ffd6379 Mon Sep 17 00:00:00 2001 From: Snozz Date: Sat, 13 Jul 2024 18:07:13 -0700 Subject: [PATCH 16/29] Fixes AAD 4.1 --- .../public/cisa/entra/Test-MtCisaDiagnosticSettings.ps1 | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/powershell/public/cisa/entra/Test-MtCisaDiagnosticSettings.ps1 b/powershell/public/cisa/entra/Test-MtCisaDiagnosticSettings.ps1 index ab0476d1..06d272e7 100644 --- a/powershell/public/cisa/entra/Test-MtCisaDiagnosticSettings.ps1 +++ b/powershell/public/cisa/entra/Test-MtCisaDiagnosticSettings.ps1 @@ -19,6 +19,11 @@ Function Test-MtCisaDiagnosticSettings { [OutputType([bool])] param() + if(!(Test-MtConnection Azure)){ + Add-MtTestResultDetail -SkippedBecause NotConnectedAzure + return $null + } + $logs = Invoke-AzRestMethod -Path "/providers/microsoft.aadiam/diagnosticSettingsCategories?api-version=2017-04-01-preview" $logs = ($logs.Content|ConvertFrom-Json).value $logs = ($logs | Where-Object { ` From 63e41b0ae023553d35f86be8e6cbae469eddb563 Mon Sep 17 00:00:00 2001 From: Snozz Date: Sat, 13 Jul 2024 18:10:13 -0700 Subject: [PATCH 17/29] Random space --- powershell/internal/Get-GraphObjectMarkdown.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/powershell/internal/Get-GraphObjectMarkdown.ps1 b/powershell/internal/Get-GraphObjectMarkdown.ps1 index 7e280baf..0298f6f3 100644 --- a/powershell/internal/Get-GraphObjectMarkdown.ps1 +++ b/powershell/internal/Get-GraphObjectMarkdown.ps1 @@ -33,7 +33,7 @@ Function Get-GraphObjectMarkdown { AuthorizationPolicy = "https://entra.microsoft.com/#view/Microsoft_AAD_UsersAndTenants/UserManagementMenuBlade/~/UserSettings/menuId/UserSettings" ConditionalAccess = "https://entra.microsoft.com/#view/Microsoft_AAD_ConditionalAccess/PolicyBlade/policyId/{0}" ConsentPolicy = "https://entra.microsoft.com/#view/Microsoft_AAD_IAM/ConsentPoliciesMenuBlade/~/UserSettings" - Devices = "https://entra.microsoft.com/#view/Microsoft_AAD_Devices/DeviceDetailsMenuBlade/~/Properties/objectId/{0}" + Devices = "https://entra.microsoft.com/#view/Microsoft_AAD_Devices/DeviceDetailsMenuBlade/~/Properties/objectId/{0}" DiagnosticSettings = "https://entra.microsoft.com/#view/Microsoft_AAD_IAM/DiagnosticSettingsMenuBlade/~/General" Domains = "https://entra.microsoft.com/#view/Microsoft_AAD_IAM/DomainsManagementMenuBlade/~/CustomDomainNames" Groups = "https://entra.microsoft.com/#view/Microsoft_AAD_IAM/GroupDetailsMenuBlade/~/Overview/groupId/{0}" From 7c630264656a8ac358e5fd575449295844101623 Mon Sep 17 00:00:00 2001 From: Snozz Date: Sat, 13 Jul 2024 18:25:43 -0700 Subject: [PATCH 18/29] Update AAD 4.1 to use result MD from test --- .../internal/Get-GraphObjectMarkdown.ps1 | 3 +- powershell/public/Add-MtTestResultDetail.ps1 | 2 +- .../entra/Test-MtCisaDiagnosticSettings.ps1 | 30 +++++++++++++++++-- 3 files changed, 29 insertions(+), 6 deletions(-) diff --git a/powershell/internal/Get-GraphObjectMarkdown.ps1 b/powershell/internal/Get-GraphObjectMarkdown.ps1 index 0298f6f3..603e9094 100644 --- a/powershell/internal/Get-GraphObjectMarkdown.ps1 +++ b/powershell/internal/Get-GraphObjectMarkdown.ps1 @@ -23,7 +23,7 @@ Function Get-GraphObjectMarkdown { # The type of graph object, this will be used to show the right deeplink to the test results report. [Parameter(Mandatory = $true)] [ValidateSet('AuthenticationMethod', 'AuthorizationPolicy', 'ConditionalAccess', 'ConsentPolicy', - 'Devices', 'DiagnosticSettings', 'Domains', 'Groups', 'IdentityProtection', 'Users', 'UserRole' + 'Devices', 'Domains', 'Groups', 'IdentityProtection', 'Users', 'UserRole' )] [string] $GraphObjectType ) @@ -34,7 +34,6 @@ Function Get-GraphObjectMarkdown { ConditionalAccess = "https://entra.microsoft.com/#view/Microsoft_AAD_ConditionalAccess/PolicyBlade/policyId/{0}" ConsentPolicy = "https://entra.microsoft.com/#view/Microsoft_AAD_IAM/ConsentPoliciesMenuBlade/~/UserSettings" Devices = "https://entra.microsoft.com/#view/Microsoft_AAD_Devices/DeviceDetailsMenuBlade/~/Properties/objectId/{0}" - DiagnosticSettings = "https://entra.microsoft.com/#view/Microsoft_AAD_IAM/DiagnosticSettingsMenuBlade/~/General" Domains = "https://entra.microsoft.com/#view/Microsoft_AAD_IAM/DomainsManagementMenuBlade/~/CustomDomainNames" Groups = "https://entra.microsoft.com/#view/Microsoft_AAD_IAM/GroupDetailsMenuBlade/~/Overview/groupId/{0}" IdentityProtection = "https://entra.microsoft.com/#view/Microsoft_AAD_IAM/IdentityProtectionMenuBlade/~/UsersAtRiskAlerts/fromNav/Identity" diff --git a/powershell/public/Add-MtTestResultDetail.ps1 b/powershell/public/Add-MtTestResultDetail.ps1 index f22125e7..375d2ba9 100644 --- a/powershell/public/Add-MtTestResultDetail.ps1 +++ b/powershell/public/Add-MtTestResultDetail.ps1 @@ -53,7 +53,7 @@ Function Add-MtTestResultDetail { # The type of graph object, this will be used to show the right deeplink to the test results report. [ValidateSet('AuthenticationMethod', 'AuthorizationPolicy', 'ConditionalAccess', 'ConsentPolicy', - 'Devices', 'DiagnosticSettings', 'Domains', 'Groups', 'IdentityProtection', 'Users', 'UserRole' + 'Devices', 'Domains', 'Groups', 'IdentityProtection', 'Users', 'UserRole' )] [string] $GraphObjectType, diff --git a/powershell/public/cisa/entra/Test-MtCisaDiagnosticSettings.ps1 b/powershell/public/cisa/entra/Test-MtCisaDiagnosticSettings.ps1 index 06d272e7..aaecaada 100644 --- a/powershell/public/cisa/entra/Test-MtCisaDiagnosticSettings.ps1 +++ b/powershell/public/cisa/entra/Test-MtCisaDiagnosticSettings.ps1 @@ -58,14 +58,38 @@ Function Test-MtCisaDiagnosticSettings { $actual["$_"] -eq $false } | Sort-Object + $array = $actual.Keys | ForEach-Object { ` + [pscustomobject]@{ + Log = "$_" + Enabled = "$($actual[$_])" + } + } + $testResult = $unsetLogs.Count -eq 0 + $link = "https://entra.microsoft.com/#view/Microsoft_AAD_IAM/DiagnosticSettingsMenuBlade/~/General" + $resultFail = "❌ Fail" + $resultPass = "✅ Pass" + if ($testResult) { - $testResultMarkdown = "Well done. Your tenant has diagnostic settings configured for all logs." + $testResultMarkdown = "Well done. Your tenant has [diagnostic settings]($link) configured for all logs." } else { - $testResultMarkdown = "Your tenant does not have diagnostic settings configured for all logs:`n`n%unsetLogs%" + $testResultMarkdown = "Your tenant does not have [diagnostic settings]($link) configured for all logs:`n`n%TestResult%" } - Add-MtTestResultDetail -Result $testResultMarkdown -GraphObjectType DiagnosticSettings + + $result = "| Log Name | Result |" + $result += "| --- | --- |" + + foreach ($item in $array) { + $itemResult = $resultFail + if($item.Enabled){ + $itemResult = $resultPass + } + $result += "| $($item.Log) | $($itemResult) |`n" + } + $testResultMarkdown = $testResultMarkdown -replace "%TestResult%", $result + + Add-MtTestResultDetail -Result $testResultMarkdown return $testResult } \ No newline at end of file From 04aaabaf3054412226289f5b94d0cdecae4c80a8 Mon Sep 17 00:00:00 2001 From: Snozz Date: Sat, 13 Jul 2024 18:29:22 -0700 Subject: [PATCH 19/29] Tweak MD and fix cast to bool --- .../public/cisa/entra/Test-MtCisaDiagnosticSettings.ps1 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/powershell/public/cisa/entra/Test-MtCisaDiagnosticSettings.ps1 b/powershell/public/cisa/entra/Test-MtCisaDiagnosticSettings.ps1 index aaecaada..58e8123e 100644 --- a/powershell/public/cisa/entra/Test-MtCisaDiagnosticSettings.ps1 +++ b/powershell/public/cisa/entra/Test-MtCisaDiagnosticSettings.ps1 @@ -61,7 +61,7 @@ Function Test-MtCisaDiagnosticSettings { $array = $actual.Keys | ForEach-Object { ` [pscustomobject]@{ Log = "$_" - Enabled = "$($actual[$_])" + Enabled = $($actual[$_]) } } @@ -77,8 +77,8 @@ Function Test-MtCisaDiagnosticSettings { $testResultMarkdown = "Your tenant does not have [diagnostic settings]($link) configured for all logs:`n`n%TestResult%" } - $result = "| Log Name | Result |" - $result += "| --- | --- |" + $result = "| Log Name | Result |`n" + $result += "| --- | --- |`n" foreach ($item in $array) { $itemResult = $resultFail From d0a154d7bdeb66753095d9bc8f16b761d1bd1316 Mon Sep 17 00:00:00 2001 From: Snozz Date: Sat, 13 Jul 2024 18:41:45 -0700 Subject: [PATCH 20/29] Added skipped because graph --- powershell/internal/Get-MtSkippedReason.ps1 | 3 ++- powershell/public/Add-MtTestResultDetail.ps1 | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/powershell/internal/Get-MtSkippedReason.ps1 b/powershell/internal/Get-MtSkippedReason.ps1 index 3572a0eb..893196da 100644 --- a/powershell/internal/Get-MtSkippedReason.ps1 +++ b/powershell/internal/Get-MtSkippedReason.ps1 @@ -9,9 +9,10 @@ function Get-MtSkippedReason { ) switch($SkippedBecause){ - "NotConnectedAzure" { "Not connected to Azure. See [Connecting to Azure](https://maester.dev/docs/installation#optional-modules-and-permissions)" ; break} + "NotConnectedAzure" { "Not connected to Azure. See [Connecting to Azure](https://maester.dev/docs/installation#optional-modules-and-permissions)"; break} "NotConnectedExchange" { "Not connected to Exchange Online. See [Connecting to Exchange Online](https://maester.dev/docs/installation#optional-modules-and-permissions)"; break} "NotConnectedSecurityCompliance" { "Not connected to Security & Compliance. See [Connecting to Security & Compliance](https://maester.dev/docs/installation#optional-modules-and-permissions)"; break} + "NotConnectedGraph" { "Not connected to Graph. See [Connect-Maester](https://maester.dev/docs/commands/Connect-Maester#examples)"; break} "NotDotGovDomain" { "This test is only for federal, executive branch, departments and agencies. To override use [Test-MtCisaDmarcAggregateCisa -Force](https://maester.dev/docs/commands/Test-MtCisaDmarcAggregateCisa)"; break} "NotLicensedEntraIDP1" { "This test is for tenants that are licensed for Entra ID P1. See [Entra ID licensing](https://learn.microsoft.com/entra/fundamentals/licensing)"; break} "NotLicensedEntraIDP2" { "This test is for tenants that are licensed for Entra ID P2. See [Entra ID licensing](https://learn.microsoft.com/entra/fundamentals/licensing)"; break} diff --git a/powershell/public/Add-MtTestResultDetail.ps1 b/powershell/public/Add-MtTestResultDetail.ps1 index 375d2ba9..cb471c48 100644 --- a/powershell/public/Add-MtTestResultDetail.ps1 +++ b/powershell/public/Add-MtTestResultDetail.ps1 @@ -62,7 +62,7 @@ Function Add-MtTestResultDetail { [Parameter(Mandatory = $false)] [string] $TestName = $____Pester.CurrentTest.ExpandedName, - [ValidateSet('NotConnectedAzure', 'NotConnectedExchange', 'NotDotGovDomain', 'NotLicensedEntraIDP1', 'NotConnectedSecurityCompliance', + [ValidateSet('NotConnectedAzure', 'NotConnectedExchange', 'NotConnectedGraph', 'NotDotGovDomain', 'NotLicensedEntraIDP1', 'NotConnectedSecurityCompliance', 'NotLicensedEntraIDP2', 'NotLicensedEntraIDGovernance', 'NotLicensedEntraWorkloadID', "LicensedEntraIDPremium", 'NotSupported' )] [string] $SkippedBecause From a7ad3705523c5ed2364d25105ab664d070f61da4 Mon Sep 17 00:00:00 2001 From: Snozz Date: Sat, 13 Jul 2024 18:55:17 -0700 Subject: [PATCH 21/29] Fix AAD 3.3 results --- .../cisa/entra/Test-MtCisaAuthenticatorContext.ps1 | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/powershell/public/cisa/entra/Test-MtCisaAuthenticatorContext.ps1 b/powershell/public/cisa/entra/Test-MtCisaAuthenticatorContext.ps1 index 0f5e145d..2d45acf6 100644 --- a/powershell/public/cisa/entra/Test-MtCisaAuthenticatorContext.ps1 +++ b/powershell/public/cisa/entra/Test-MtCisaAuthenticatorContext.ps1 @@ -17,6 +17,11 @@ Function Test-MtCisaAuthenticatorContext { [OutputType([bool])] param() + if(!(Test-MtConnection Graph)){ + Add-MtTestResultDetail -SkippedBecause NotConnectedGraph + return $null + } + $result = Get-MtAuthenticationMethodPolicyConfig $policies = $result | Where-Object {` @@ -31,12 +36,15 @@ Function Test-MtCisaAuthenticatorContext { $testResult = ($policies|Measure-Object).Count -ge 1 + $link = "https://entra.microsoft.com/#view/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/~/AdminAuthMethods/fromNav/Identity" + if ($testResult) { - $testResultMarkdown = "Well done. Your tenant has the Authentication Methods policy for Microsoft Authenticator set appropriately:`n`n%TestResult%" + $testResultMarkdown = "Well done. Your tenant has the [Authentication Methods]($link) policy for Microsoft Authenticator set appropriately." } else { - $testResultMarkdown = "Your tenant does not have the Authentication Methods policy for Microsoft Authenticator set appropriately." + $testResultMarkdown = "Your tenant does not have the [Authentication Methods]($link) policy for Microsoft Authenticator set appropriately." } - Add-MtTestResultDetail -Result $testResultMarkdown -GraphObjectType AuthenticationMethod -GraphObjects $policies + + Add-MtTestResultDetail -Result $testResultMarkdown return $testResult } \ No newline at end of file From 0f4dc561512fe44bc22dc4052dc4617f73c384a5 Mon Sep 17 00:00:00 2001 From: Snozz Date: Sat, 13 Jul 2024 19:01:38 -0700 Subject: [PATCH 22/29] Update skip --- .../cisa/entra/Test-MtCisaActivationNotification.ps1 | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/powershell/public/cisa/entra/Test-MtCisaActivationNotification.ps1 b/powershell/public/cisa/entra/Test-MtCisaActivationNotification.ps1 index 0aeacd14..b0bf2bbf 100644 --- a/powershell/public/cisa/entra/Test-MtCisaActivationNotification.ps1 +++ b/powershell/public/cisa/entra/Test-MtCisaActivationNotification.ps1 @@ -27,8 +27,16 @@ Function Test-MtCisaActivationNotification { $EntraIDPlan = Get-MtLicenseInformation -Product EntraID $pim = $EntraIDPlan -eq "P2" -or $EntraIDPlan -eq "Governance" - if(-not $pim){ - return $false + if(!(Test-MtConnection Graph)){ + Add-MtTestResultDetail -SkippedBecause NotConnectedGraph + return $null + }elseif(-not $pim){ + if($EntraIDPlan -ne "P2"){ + Add-MtTestResultDetail -SkippedBecause NotLicensedEntraIDP2 + }elseif($EntraIDPlan -ne "Governance"){ + Add-MtTestResultDetail -SkippedBecause NotLicensedEntraIDGovernance + } + return $null } $roles = Get-MtRole -CisaHighlyPrivilegedRoles From 3a40dcbaad38314eaebffeebd04f28cf257479bf Mon Sep 17 00:00:00 2001 From: Snozz Date: Sat, 13 Jul 2024 19:04:00 -0700 Subject: [PATCH 23/29] Fix tests --- ...MtCisaActivationNotificationGlobalAdmin.Tests.ps1 | 12 ++++++------ .../Test-MtCisaActivationNotificationOther.Tests.ps1 | 12 ++++++------ 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/tests/cisa/entra/Test-MtCisaActivationNotificationGlobalAdmin.Tests.ps1 b/tests/cisa/entra/Test-MtCisaActivationNotificationGlobalAdmin.Tests.ps1 index f1e13d5f..bc6ec5f9 100644 --- a/tests/cisa/entra/Test-MtCisaActivationNotificationGlobalAdmin.Tests.ps1 +++ b/tests/cisa/entra/Test-MtCisaActivationNotificationGlobalAdmin.Tests.ps1 @@ -1,9 +1,9 @@ -BeforeDiscovery { - $EntraIDPlan = Get-MtLicenseInformation -Product EntraID -} - -Describe "CISA SCuBA" -Tag "MS.AAD", "MS.AAD.7.8", "CISA", "Security", "All" -Skip:( $EntraIDPlan -eq "Free" ) { +Describe "CISA SCuBA" -Tag "MS.AAD", "MS.AAD.7.8", "CISA", "Security", "All" { It "MS.AAD.7.8: User activation of the Global Administrator role SHALL trigger an alert." { - Test-MtCisaActivationNotification -GlobalAdminOnly | Should -Be $true -Because "notifications are set for activation of the Global Admin role." + $result = Test-MtCisaActivationNotification + + if ($null -ne $result) { + $result | Should -Be $true -Because "notifications are set for activation of the Global Admin role." + } } } \ No newline at end of file diff --git a/tests/cisa/entra/Test-MtCisaActivationNotificationOther.Tests.ps1 b/tests/cisa/entra/Test-MtCisaActivationNotificationOther.Tests.ps1 index 191aa32c..cb4e341e 100644 --- a/tests/cisa/entra/Test-MtCisaActivationNotificationOther.Tests.ps1 +++ b/tests/cisa/entra/Test-MtCisaActivationNotificationOther.Tests.ps1 @@ -1,9 +1,9 @@ -BeforeDiscovery { - $EntraIDPlan = Get-MtLicenseInformation -Product EntraID -} - -Describe "CISA SCuBA" -Tag "MS.AAD", "MS.AAD.7.9", "CISA", "Security", "All" -Skip:( $EntraIDPlan -eq "Free" ) { +Describe "CISA SCuBA" -Tag "MS.AAD", "MS.AAD.7.9", "CISA", "Security", "All" { It "MS.AAD.7.9: User activation of other highly privileged roles SHOULD trigger an alert." { - Test-MtCisaActivationNotification -GlobalAdminOnly | Should -Be $true -Because "notifications are set for activation of highly privileged roles." + $result = Test-MtCisaActivationNotification -GlobalAdminOnly + + if ($null -ne $result) { + $result | Should -Be $true -Because "notifications are set for activation of the Global Admin role." + } } } \ No newline at end of file From 17cd6b1ee9846922645d6fc97daf92d755dad511 Mon Sep 17 00:00:00 2001 From: Snozz Date: Sat, 13 Jul 2024 19:09:47 -0700 Subject: [PATCH 24/29] Fix tests --- .../entra/Test-MtCisaActivationNotification.ps1 | 5 ++--- ...saActivationNotificationGlobalAdmin.Tests.ps1 | 2 +- ...t-MtCisaActivationNotificationOther.Tests.ps1 | 4 ++-- .../Test-MtCisaAuthenticatorContext.Tests.ps1 | 16 ++++++---------- 4 files changed, 11 insertions(+), 16 deletions(-) diff --git a/powershell/public/cisa/entra/Test-MtCisaActivationNotification.ps1 b/powershell/public/cisa/entra/Test-MtCisaActivationNotification.ps1 index b0bf2bbf..ca730479 100644 --- a/powershell/public/cisa/entra/Test-MtCisaActivationNotification.ps1 +++ b/powershell/public/cisa/entra/Test-MtCisaActivationNotification.ps1 @@ -25,12 +25,11 @@ Function Test-MtCisaActivationNotification { [switch]$GlobalAdminOnly ) - $EntraIDPlan = Get-MtLicenseInformation -Product EntraID - $pim = $EntraIDPlan -eq "P2" -or $EntraIDPlan -eq "Governance" if(!(Test-MtConnection Graph)){ Add-MtTestResultDetail -SkippedBecause NotConnectedGraph return $null - }elseif(-not $pim){ + }else{ + $EntraIDPlan = Get-MtLicenseInformation -Product EntraID if($EntraIDPlan -ne "P2"){ Add-MtTestResultDetail -SkippedBecause NotLicensedEntraIDP2 }elseif($EntraIDPlan -ne "Governance"){ diff --git a/tests/cisa/entra/Test-MtCisaActivationNotificationGlobalAdmin.Tests.ps1 b/tests/cisa/entra/Test-MtCisaActivationNotificationGlobalAdmin.Tests.ps1 index bc6ec5f9..366cd04c 100644 --- a/tests/cisa/entra/Test-MtCisaActivationNotificationGlobalAdmin.Tests.ps1 +++ b/tests/cisa/entra/Test-MtCisaActivationNotificationGlobalAdmin.Tests.ps1 @@ -1,6 +1,6 @@ Describe "CISA SCuBA" -Tag "MS.AAD", "MS.AAD.7.8", "CISA", "Security", "All" { It "MS.AAD.7.8: User activation of the Global Administrator role SHALL trigger an alert." { - $result = Test-MtCisaActivationNotification + $result = Test-MtCisaActivationNotification -GlobalAdminOnly if ($null -ne $result) { $result | Should -Be $true -Because "notifications are set for activation of the Global Admin role." diff --git a/tests/cisa/entra/Test-MtCisaActivationNotificationOther.Tests.ps1 b/tests/cisa/entra/Test-MtCisaActivationNotificationOther.Tests.ps1 index cb4e341e..d9560475 100644 --- a/tests/cisa/entra/Test-MtCisaActivationNotificationOther.Tests.ps1 +++ b/tests/cisa/entra/Test-MtCisaActivationNotificationOther.Tests.ps1 @@ -1,9 +1,9 @@ Describe "CISA SCuBA" -Tag "MS.AAD", "MS.AAD.7.9", "CISA", "Security", "All" { It "MS.AAD.7.9: User activation of other highly privileged roles SHOULD trigger an alert." { - $result = Test-MtCisaActivationNotification -GlobalAdminOnly + $result = Test-MtCisaActivationNotification if ($null -ne $result) { - $result | Should -Be $true -Because "notifications are set for activation of the Global Admin role." + $result | Should -Be $true -Because "notifications are set for activation of highly privileged roles." } } } \ No newline at end of file diff --git a/tests/cisa/entra/Test-MtCisaAuthenticatorContext.Tests.ps1 b/tests/cisa/entra/Test-MtCisaAuthenticatorContext.Tests.ps1 index 8ed37819..b7e73c24 100644 --- a/tests/cisa/entra/Test-MtCisaAuthenticatorContext.Tests.ps1 +++ b/tests/cisa/entra/Test-MtCisaAuthenticatorContext.Tests.ps1 @@ -1,13 +1,9 @@ -BeforeDiscovery { - $EntraIDPlan = Get-MtLicenseInformation -Product EntraID - - $result = Get-MtAuthenticationMethodPolicyConfig - - $authenticator = $result | Where-Object { $_.id -eq "MicrosoftAuthenticator" } -} - -Describe "CISA SCuBA" -Tag "MS.AAD", "MS.AAD.3.3", "CISA", "Security", "All" -Skip:( ($EntraIDPlan -eq "Free") -or (Test-MtCisaPhishResistant) -or $authenticator.state -eq "disabled") { +Describe "CISA SCuBA" -Tag "MS.AAD", "MS.AAD.3.3", "CISA", "Security", "All" { It "MS.AAD.3.3: If phishing-resistant MFA has not been enforced and Microsoft Authenticator is enabled, it SHALL be configured to show login context information." { - Test-MtCisaAuthenticatorContext | Should -Be $true -Because "Microsoft Authenticator is configured to show login context information." + $result = Test-MtCisaAuthenticatorContext + + if ($null -ne $result) { + $result | Should -Be $true -Because "Microsoft Authenticator is configured to show login context information." + } } } \ No newline at end of file From 3d682bf5b01076859dfeb6d73b0737b3b30470d3 Mon Sep 17 00:00:00 2001 From: Snozz Date: Sat, 13 Jul 2024 19:18:13 -0700 Subject: [PATCH 25/29] Cleanup dependency --- .../entra/Test-MtCisaAuthenticatorContext.ps1 | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/powershell/public/cisa/entra/Test-MtCisaAuthenticatorContext.ps1 b/powershell/public/cisa/entra/Test-MtCisaAuthenticatorContext.ps1 index 2d45acf6..8f3cfc32 100644 --- a/powershell/public/cisa/entra/Test-MtCisaAuthenticatorContext.ps1 +++ b/powershell/public/cisa/entra/Test-MtCisaAuthenticatorContext.ps1 @@ -22,6 +22,8 @@ Function Test-MtCisaAuthenticatorContext { return $null } + $isMethodsMigrationComplete = Test-MtCisaMethodsMigration + $result = Get-MtAuthenticationMethodPolicyConfig $policies = $result | Where-Object {` @@ -34,15 +36,25 @@ Function Test-MtCisaAuthenticatorContext { $_.featureSettings.displayLocationInformationRequiredState.state -eq "enabled" -and ` $_.featureSettings.displayLocationInformationRequiredState.includeTarget.id -contains "all_users" } - $testResult = ($policies|Measure-Object).Count -ge 1 + $testResult = (($policies|Measure-Object).Count -ge 1) -and $isMethodsMigrationComplete $link = "https://entra.microsoft.com/#view/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/~/AdminAuthMethods/fromNav/Identity" if ($testResult) { - $testResultMarkdown = "Well done. Your tenant has the [Authentication Methods]($link) policy for Microsoft Authenticator set appropriately." + $testResultMarkdown = "Well done. Your tenant has the [Authentication Methods]($link) policy for Microsoft Authenticator set appropriately.`n`n%TestResult%" } else { - $testResultMarkdown = "Your tenant does not have the [Authentication Methods]($link) policy for Microsoft Authenticator set appropriately." + $testResultMarkdown = "Your tenant does not have the [Authentication Methods]($link) policy for Microsoft Authenticator set appropriately or migration to Authentication Methods is not complete.`n`n%TestResult%" + } + + $resultFail = "❌ Fail" + $resultPass = "✅ Pass" + if($isMethodsMigrationComplete){ + $migrationResult = $resultPass + }else{ + $migrationResult = $resultFail } + $result = "[Authentication Methods]($link) Migration Complete: $migrationResult" + $testResultMarkdown = $testResultMarkdown -replace "%TestResult%", $result Add-MtTestResultDetail -Result $testResultMarkdown From 12161d30e9d8031671c45f5819ebe2220eaaa221 Mon Sep 17 00:00:00 2001 From: Snozz Date: Sat, 13 Jul 2024 19:27:52 -0700 Subject: [PATCH 26/29] Updated results MD --- .../Test-MtCisaActivationNotification.ps1 | 21 +++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/powershell/public/cisa/entra/Test-MtCisaActivationNotification.ps1 b/powershell/public/cisa/entra/Test-MtCisaActivationNotification.ps1 index ca730479..27a6c1b9 100644 --- a/powershell/public/cisa/entra/Test-MtCisaActivationNotification.ps1 +++ b/powershell/public/cisa/entra/Test-MtCisaActivationNotification.ps1 @@ -81,11 +81,28 @@ Function Test-MtCisaActivationNotification { $testResult = ($misconfigured|Measure-Object).Count -eq 0 + $link = "https://entra.microsoft.com/#view/Microsoft_Azure_PIMCommon/ResourceMenuBlade/~/roles/resourceId//resourceType/tenant/provider/aadroles" + $resultFail = "❌ Fail" + $resultPass = "✅ Pass" + if ($testResult) { - $testResultMarkdown = "Well done. Your tenant has notifications for role activations:`n`n%TestResult%" + $testResultMarkdown = "Well done. Your tenant has notifications for [role activations]($link).`n`n%TestResult%" } else { - $testResultMarkdown = "Your tenant does not have notifications on role activations." + $testResultMarkdown = "Your tenant does not have notifications on [role activations]($link).`n`n%TestResult%" + } + + $result = "| Role Name | Result |`n" + $result += "| --- | --- |`n" + + foreach ($item in $rolePolicies) { + $itemResult = $resultFail + if($item.activationNotify){ + $itemResult = $resultPass + } + $result += "| $($item.role) | $($itemResult) |`n" } + $testResultMarkdown = $testResultMarkdown -replace "%TestResult%", $result + Add-MtTestResultDetail -Result $testResultMarkdown return $testResult From fc2f6dc6ae9dfd600172889149d96c8e3dc8357b Mon Sep 17 00:00:00 2001 From: Snozz Date: Sat, 13 Jul 2024 19:30:01 -0700 Subject: [PATCH 27/29] Fix AAD 8.3 --- tests/cisa/entra/Test-MtCisaCrossTenantInboundDefault.Tests.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/cisa/entra/Test-MtCisaCrossTenantInboundDefault.Tests.ps1 b/tests/cisa/entra/Test-MtCisaCrossTenantInboundDefault.Tests.ps1 index e789ad68..3fdd8e20 100644 --- a/tests/cisa/entra/Test-MtCisaCrossTenantInboundDefault.Tests.ps1 +++ b/tests/cisa/entra/Test-MtCisaCrossTenantInboundDefault.Tests.ps1 @@ -1,5 +1,5 @@ Describe "CISA SCuBA" -Tag "MS.AAD", "MS.AAD.8.3", "CISA", "Security", "All" { It "MS.AAD.8.3: Guest invites SHOULD only be allowed to specific external domains that have been authorized by the agency for legitimate business purposes." { - Test-MtCisaCrossTenantInboundDefault -GlobalAdminOnly | Should -Be $true -Because "default inbound cross-tenant access policy is set to block." + Test-MtCisaCrossTenantInboundDefault | Should -Be $true -Because "default inbound cross-tenant access policy is set to block." } } \ No newline at end of file From f4d02cd737fd568e464786357721ff1a89cec208 Mon Sep 17 00:00:00 2001 From: Snozz Date: Sat, 13 Jul 2024 19:36:15 -0700 Subject: [PATCH 28/29] Fix AAD 7.2 --- .../public/cisa/entra/Test-MtCisaCloudGlobalAdmin.md | 3 --- .../public/cisa/entra/Test-MtCisaGlobalAdminCount.md | 3 --- .../public/cisa/entra/Test-MtCisaGlobalAdminRatio.md | 3 --- .../public/cisa/entra/Test-MtCisaGlobalAdminRatio.ps1 | 11 +++++++---- 4 files changed, 7 insertions(+), 13 deletions(-) diff --git a/powershell/public/cisa/entra/Test-MtCisaCloudGlobalAdmin.md b/powershell/public/cisa/entra/Test-MtCisaCloudGlobalAdmin.md index 481f40a4..1a9f6fc5 100644 --- a/powershell/public/cisa/entra/Test-MtCisaCloudGlobalAdmin.md +++ b/powershell/public/cisa/entra/Test-MtCisaCloudGlobalAdmin.md @@ -14,8 +14,5 @@ Rationale: Many privileged administrative users do not need unfettered access to * [CISA 7.3 Highly Privileged User Access - MS.AAD.7.3v1](https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/baselines/aad.md#msaad73v1) * [CISA ScubaGear Rego Reference](https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/Rego/AADConfig.rego#L833) -#### Note -Current test only captures active role assignments: https://github.com/maester365/maester/issues/195 - %TestResult% diff --git a/powershell/public/cisa/entra/Test-MtCisaGlobalAdminCount.md b/powershell/public/cisa/entra/Test-MtCisaGlobalAdminCount.md index 7c5a7a22..9f7937c0 100644 --- a/powershell/public/cisa/entra/Test-MtCisaGlobalAdminCount.md +++ b/powershell/public/cisa/entra/Test-MtCisaGlobalAdminCount.md @@ -20,8 +20,5 @@ When counting the number of users assigned to the Global Administrator role, **c * [CISA 7.1 Highly Privileged User Access - MS.AAD.7.1v1](https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/baselines/aad.md#msaad71v1) * [CISA ScubaGear Rego Reference](https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/Rego/AADConfig.rego#L761) -#### Note -Current test only captures active role assignments: https://github.com/maester365/maester/issues/195 - %TestResult% diff --git a/powershell/public/cisa/entra/Test-MtCisaGlobalAdminRatio.md b/powershell/public/cisa/entra/Test-MtCisaGlobalAdminRatio.md index 9bbd708e..e62a7246 100644 --- a/powershell/public/cisa/entra/Test-MtCisaGlobalAdminRatio.md +++ b/powershell/public/cisa/entra/Test-MtCisaGlobalAdminRatio.md @@ -17,8 +17,5 @@ This policy is based on the ratio below: * [CISA 7.2 Highly Privileged User Access - MS.AAD.7.2v1](https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/baselines/aad.md#msaad72v1) * [CISA ScubaGear Rego Reference](https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/Rego/AADConfig.rego#L792) -#### Note -Current test only captures active role assignments: https://github.com/maester365/maester/issues/195 - %TestResult% diff --git a/powershell/public/cisa/entra/Test-MtCisaGlobalAdminRatio.ps1 b/powershell/public/cisa/entra/Test-MtCisaGlobalAdminRatio.ps1 index 1118c037..19dfab14 100644 --- a/powershell/public/cisa/entra/Test-MtCisaGlobalAdminRatio.ps1 +++ b/powershell/public/cisa/entra/Test-MtCisaGlobalAdminRatio.ps1 @@ -48,14 +48,17 @@ Function Test-MtCisaGlobalAdminRatio { $testResult = $false } - $users = $roleAssignments.assignments | Sort-Object id -Unique + $link = "https://entra.microsoft.com/#view/Microsoft_AAD_IAM/RolesManagementMenuBlade/~/AllRoles" if ($testResult) { - $testResultMarkdown = "Well done. Your tenant has more granular role assignments than global admin assignments:`n`n%TestResult%" + $testResultMarkdown = "Well done. Your tenant has more granular [role assignments]($link) than global admin assignments.`n`n%TestResult%" } else { - $testResultMarkdown = "Your tenant does not have enough granular role assignments." + $testResultMarkdown = "Your tenant does not have enough granular [role assignments]($link).`n`n%TestResult%" } - Add-MtTestResultDetail -Result $testResultMarkdown -GraphObjectType Users -GraphObjects $users + $result = "$ratio = $($globalAdministrators.Count) / $($otherAssignments.Count)" + $testResultMarkdown = $testResultMarkdown -replace "%TestResult%", $result + + Add-MtTestResultDetail -Result $testResultMarkdown return $testResult } \ No newline at end of file From 30ac66af33adbfb7dec22997968443d1cec0016f Mon Sep 17 00:00:00 2001 From: Snozz Date: Sun, 14 Jul 2024 06:06:21 -0700 Subject: [PATCH 29/29] Merge --- .../internal/Get-GraphObjectMarkdown.ps1 | 5 ++- powershell/internal/Get-MtSkippedReason.ps1 | 3 +- powershell/public/Add-MtTestResultDetail.ps1 | 4 +-- .../Test-MtCisaActivationNotification.ps1 | 36 +++++++++++++++---- .../entra/Test-MtCisaAuthenticatorContext.ps1 | 28 ++++++++++++--- .../cisa/entra/Test-MtCisaCloudGlobalAdmin.md | 3 -- .../entra/Test-MtCisaDiagnosticSettings.ps1 | 35 ++++++++++++++++-- .../cisa/entra/Test-MtCisaGlobalAdminCount.md | 3 -- .../cisa/entra/Test-MtCisaGlobalAdminRatio.md | 3 -- .../entra/Test-MtCisaGlobalAdminRatio.ps1 | 11 +++--- ...ctivationNotificationGlobalAdmin.Tests.ps1 | 12 +++---- ...tCisaActivationNotificationOther.Tests.ps1 | 12 +++---- .../Test-MtCisaAuthenticatorContext.Tests.ps1 | 16 ++++----- ...-MtCisaCrossTenantInboundDefault.Tests.ps1 | 2 +- .../Test-MtCisaDiagnosticSettings.Tests.ps1 | 12 +++---- 15 files changed, 124 insertions(+), 61 deletions(-) diff --git a/powershell/internal/Get-GraphObjectMarkdown.ps1 b/powershell/internal/Get-GraphObjectMarkdown.ps1 index 7e280baf..603e9094 100644 --- a/powershell/internal/Get-GraphObjectMarkdown.ps1 +++ b/powershell/internal/Get-GraphObjectMarkdown.ps1 @@ -23,7 +23,7 @@ Function Get-GraphObjectMarkdown { # The type of graph object, this will be used to show the right deeplink to the test results report. [Parameter(Mandatory = $true)] [ValidateSet('AuthenticationMethod', 'AuthorizationPolicy', 'ConditionalAccess', 'ConsentPolicy', - 'Devices', 'DiagnosticSettings', 'Domains', 'Groups', 'IdentityProtection', 'Users', 'UserRole' + 'Devices', 'Domains', 'Groups', 'IdentityProtection', 'Users', 'UserRole' )] [string] $GraphObjectType ) @@ -33,8 +33,7 @@ Function Get-GraphObjectMarkdown { AuthorizationPolicy = "https://entra.microsoft.com/#view/Microsoft_AAD_UsersAndTenants/UserManagementMenuBlade/~/UserSettings/menuId/UserSettings" ConditionalAccess = "https://entra.microsoft.com/#view/Microsoft_AAD_ConditionalAccess/PolicyBlade/policyId/{0}" ConsentPolicy = "https://entra.microsoft.com/#view/Microsoft_AAD_IAM/ConsentPoliciesMenuBlade/~/UserSettings" - Devices = "https://entra.microsoft.com/#view/Microsoft_AAD_Devices/DeviceDetailsMenuBlade/~/Properties/objectId/{0}" - DiagnosticSettings = "https://entra.microsoft.com/#view/Microsoft_AAD_IAM/DiagnosticSettingsMenuBlade/~/General" + Devices = "https://entra.microsoft.com/#view/Microsoft_AAD_Devices/DeviceDetailsMenuBlade/~/Properties/objectId/{0}" Domains = "https://entra.microsoft.com/#view/Microsoft_AAD_IAM/DomainsManagementMenuBlade/~/CustomDomainNames" Groups = "https://entra.microsoft.com/#view/Microsoft_AAD_IAM/GroupDetailsMenuBlade/~/Overview/groupId/{0}" IdentityProtection = "https://entra.microsoft.com/#view/Microsoft_AAD_IAM/IdentityProtectionMenuBlade/~/UsersAtRiskAlerts/fromNav/Identity" diff --git a/powershell/internal/Get-MtSkippedReason.ps1 b/powershell/internal/Get-MtSkippedReason.ps1 index 3572a0eb..893196da 100644 --- a/powershell/internal/Get-MtSkippedReason.ps1 +++ b/powershell/internal/Get-MtSkippedReason.ps1 @@ -9,9 +9,10 @@ function Get-MtSkippedReason { ) switch($SkippedBecause){ - "NotConnectedAzure" { "Not connected to Azure. See [Connecting to Azure](https://maester.dev/docs/installation#optional-modules-and-permissions)" ; break} + "NotConnectedAzure" { "Not connected to Azure. See [Connecting to Azure](https://maester.dev/docs/installation#optional-modules-and-permissions)"; break} "NotConnectedExchange" { "Not connected to Exchange Online. See [Connecting to Exchange Online](https://maester.dev/docs/installation#optional-modules-and-permissions)"; break} "NotConnectedSecurityCompliance" { "Not connected to Security & Compliance. See [Connecting to Security & Compliance](https://maester.dev/docs/installation#optional-modules-and-permissions)"; break} + "NotConnectedGraph" { "Not connected to Graph. See [Connect-Maester](https://maester.dev/docs/commands/Connect-Maester#examples)"; break} "NotDotGovDomain" { "This test is only for federal, executive branch, departments and agencies. To override use [Test-MtCisaDmarcAggregateCisa -Force](https://maester.dev/docs/commands/Test-MtCisaDmarcAggregateCisa)"; break} "NotLicensedEntraIDP1" { "This test is for tenants that are licensed for Entra ID P1. See [Entra ID licensing](https://learn.microsoft.com/entra/fundamentals/licensing)"; break} "NotLicensedEntraIDP2" { "This test is for tenants that are licensed for Entra ID P2. See [Entra ID licensing](https://learn.microsoft.com/entra/fundamentals/licensing)"; break} diff --git a/powershell/public/Add-MtTestResultDetail.ps1 b/powershell/public/Add-MtTestResultDetail.ps1 index f22125e7..cb471c48 100644 --- a/powershell/public/Add-MtTestResultDetail.ps1 +++ b/powershell/public/Add-MtTestResultDetail.ps1 @@ -53,7 +53,7 @@ Function Add-MtTestResultDetail { # The type of graph object, this will be used to show the right deeplink to the test results report. [ValidateSet('AuthenticationMethod', 'AuthorizationPolicy', 'ConditionalAccess', 'ConsentPolicy', - 'Devices', 'DiagnosticSettings', 'Domains', 'Groups', 'IdentityProtection', 'Users', 'UserRole' + 'Devices', 'Domains', 'Groups', 'IdentityProtection', 'Users', 'UserRole' )] [string] $GraphObjectType, @@ -62,7 +62,7 @@ Function Add-MtTestResultDetail { [Parameter(Mandatory = $false)] [string] $TestName = $____Pester.CurrentTest.ExpandedName, - [ValidateSet('NotConnectedAzure', 'NotConnectedExchange', 'NotDotGovDomain', 'NotLicensedEntraIDP1', 'NotConnectedSecurityCompliance', + [ValidateSet('NotConnectedAzure', 'NotConnectedExchange', 'NotConnectedGraph', 'NotDotGovDomain', 'NotLicensedEntraIDP1', 'NotConnectedSecurityCompliance', 'NotLicensedEntraIDP2', 'NotLicensedEntraIDGovernance', 'NotLicensedEntraWorkloadID', "LicensedEntraIDPremium", 'NotSupported' )] [string] $SkippedBecause diff --git a/powershell/public/cisa/entra/Test-MtCisaActivationNotification.ps1 b/powershell/public/cisa/entra/Test-MtCisaActivationNotification.ps1 index 0aeacd14..27a6c1b9 100644 --- a/powershell/public/cisa/entra/Test-MtCisaActivationNotification.ps1 +++ b/powershell/public/cisa/entra/Test-MtCisaActivationNotification.ps1 @@ -25,10 +25,17 @@ Function Test-MtCisaActivationNotification { [switch]$GlobalAdminOnly ) - $EntraIDPlan = Get-MtLicenseInformation -Product EntraID - $pim = $EntraIDPlan -eq "P2" -or $EntraIDPlan -eq "Governance" - if(-not $pim){ - return $false + if(!(Test-MtConnection Graph)){ + Add-MtTestResultDetail -SkippedBecause NotConnectedGraph + return $null + }else{ + $EntraIDPlan = Get-MtLicenseInformation -Product EntraID + if($EntraIDPlan -ne "P2"){ + Add-MtTestResultDetail -SkippedBecause NotLicensedEntraIDP2 + }elseif($EntraIDPlan -ne "Governance"){ + Add-MtTestResultDetail -SkippedBecause NotLicensedEntraIDGovernance + } + return $null } $roles = Get-MtRole -CisaHighlyPrivilegedRoles @@ -74,11 +81,28 @@ Function Test-MtCisaActivationNotification { $testResult = ($misconfigured|Measure-Object).Count -eq 0 + $link = "https://entra.microsoft.com/#view/Microsoft_Azure_PIMCommon/ResourceMenuBlade/~/roles/resourceId//resourceType/tenant/provider/aadroles" + $resultFail = "❌ Fail" + $resultPass = "✅ Pass" + if ($testResult) { - $testResultMarkdown = "Well done. Your tenant has notifications for role activations:`n`n%TestResult%" + $testResultMarkdown = "Well done. Your tenant has notifications for [role activations]($link).`n`n%TestResult%" } else { - $testResultMarkdown = "Your tenant does not have notifications on role activations." + $testResultMarkdown = "Your tenant does not have notifications on [role activations]($link).`n`n%TestResult%" + } + + $result = "| Role Name | Result |`n" + $result += "| --- | --- |`n" + + foreach ($item in $rolePolicies) { + $itemResult = $resultFail + if($item.activationNotify){ + $itemResult = $resultPass + } + $result += "| $($item.role) | $($itemResult) |`n" } + $testResultMarkdown = $testResultMarkdown -replace "%TestResult%", $result + Add-MtTestResultDetail -Result $testResultMarkdown return $testResult diff --git a/powershell/public/cisa/entra/Test-MtCisaAuthenticatorContext.ps1 b/powershell/public/cisa/entra/Test-MtCisaAuthenticatorContext.ps1 index 0f5e145d..8f3cfc32 100644 --- a/powershell/public/cisa/entra/Test-MtCisaAuthenticatorContext.ps1 +++ b/powershell/public/cisa/entra/Test-MtCisaAuthenticatorContext.ps1 @@ -17,6 +17,13 @@ Function Test-MtCisaAuthenticatorContext { [OutputType([bool])] param() + if(!(Test-MtConnection Graph)){ + Add-MtTestResultDetail -SkippedBecause NotConnectedGraph + return $null + } + + $isMethodsMigrationComplete = Test-MtCisaMethodsMigration + $result = Get-MtAuthenticationMethodPolicyConfig $policies = $result | Where-Object {` @@ -29,14 +36,27 @@ Function Test-MtCisaAuthenticatorContext { $_.featureSettings.displayLocationInformationRequiredState.state -eq "enabled" -and ` $_.featureSettings.displayLocationInformationRequiredState.includeTarget.id -contains "all_users" } - $testResult = ($policies|Measure-Object).Count -ge 1 + $testResult = (($policies|Measure-Object).Count -ge 1) -and $isMethodsMigrationComplete + + $link = "https://entra.microsoft.com/#view/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/~/AdminAuthMethods/fromNav/Identity" if ($testResult) { - $testResultMarkdown = "Well done. Your tenant has the Authentication Methods policy for Microsoft Authenticator set appropriately:`n`n%TestResult%" + $testResultMarkdown = "Well done. Your tenant has the [Authentication Methods]($link) policy for Microsoft Authenticator set appropriately.`n`n%TestResult%" } else { - $testResultMarkdown = "Your tenant does not have the Authentication Methods policy for Microsoft Authenticator set appropriately." + $testResultMarkdown = "Your tenant does not have the [Authentication Methods]($link) policy for Microsoft Authenticator set appropriately or migration to Authentication Methods is not complete.`n`n%TestResult%" } - Add-MtTestResultDetail -Result $testResultMarkdown -GraphObjectType AuthenticationMethod -GraphObjects $policies + + $resultFail = "❌ Fail" + $resultPass = "✅ Pass" + if($isMethodsMigrationComplete){ + $migrationResult = $resultPass + }else{ + $migrationResult = $resultFail + } + $result = "[Authentication Methods]($link) Migration Complete: $migrationResult" + $testResultMarkdown = $testResultMarkdown -replace "%TestResult%", $result + + Add-MtTestResultDetail -Result $testResultMarkdown return $testResult } \ No newline at end of file diff --git a/powershell/public/cisa/entra/Test-MtCisaCloudGlobalAdmin.md b/powershell/public/cisa/entra/Test-MtCisaCloudGlobalAdmin.md index 481f40a4..1a9f6fc5 100644 --- a/powershell/public/cisa/entra/Test-MtCisaCloudGlobalAdmin.md +++ b/powershell/public/cisa/entra/Test-MtCisaCloudGlobalAdmin.md @@ -14,8 +14,5 @@ Rationale: Many privileged administrative users do not need unfettered access to * [CISA 7.3 Highly Privileged User Access - MS.AAD.7.3v1](https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/baselines/aad.md#msaad73v1) * [CISA ScubaGear Rego Reference](https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/Rego/AADConfig.rego#L833) -#### Note -Current test only captures active role assignments: https://github.com/maester365/maester/issues/195 - %TestResult% diff --git a/powershell/public/cisa/entra/Test-MtCisaDiagnosticSettings.ps1 b/powershell/public/cisa/entra/Test-MtCisaDiagnosticSettings.ps1 index ab0476d1..58e8123e 100644 --- a/powershell/public/cisa/entra/Test-MtCisaDiagnosticSettings.ps1 +++ b/powershell/public/cisa/entra/Test-MtCisaDiagnosticSettings.ps1 @@ -19,6 +19,11 @@ Function Test-MtCisaDiagnosticSettings { [OutputType([bool])] param() + if(!(Test-MtConnection Azure)){ + Add-MtTestResultDetail -SkippedBecause NotConnectedAzure + return $null + } + $logs = Invoke-AzRestMethod -Path "/providers/microsoft.aadiam/diagnosticSettingsCategories?api-version=2017-04-01-preview" $logs = ($logs.Content|ConvertFrom-Json).value $logs = ($logs | Where-Object { ` @@ -53,14 +58,38 @@ Function Test-MtCisaDiagnosticSettings { $actual["$_"] -eq $false } | Sort-Object + $array = $actual.Keys | ForEach-Object { ` + [pscustomobject]@{ + Log = "$_" + Enabled = $($actual[$_]) + } + } + $testResult = $unsetLogs.Count -eq 0 + $link = "https://entra.microsoft.com/#view/Microsoft_AAD_IAM/DiagnosticSettingsMenuBlade/~/General" + $resultFail = "❌ Fail" + $resultPass = "✅ Pass" + if ($testResult) { - $testResultMarkdown = "Well done. Your tenant has diagnostic settings configured for all logs." + $testResultMarkdown = "Well done. Your tenant has [diagnostic settings]($link) configured for all logs." } else { - $testResultMarkdown = "Your tenant does not have diagnostic settings configured for all logs:`n`n%unsetLogs%" + $testResultMarkdown = "Your tenant does not have [diagnostic settings]($link) configured for all logs:`n`n%TestResult%" } - Add-MtTestResultDetail -Result $testResultMarkdown -GraphObjectType DiagnosticSettings + + $result = "| Log Name | Result |`n" + $result += "| --- | --- |`n" + + foreach ($item in $array) { + $itemResult = $resultFail + if($item.Enabled){ + $itemResult = $resultPass + } + $result += "| $($item.Log) | $($itemResult) |`n" + } + $testResultMarkdown = $testResultMarkdown -replace "%TestResult%", $result + + Add-MtTestResultDetail -Result $testResultMarkdown return $testResult } \ No newline at end of file diff --git a/powershell/public/cisa/entra/Test-MtCisaGlobalAdminCount.md b/powershell/public/cisa/entra/Test-MtCisaGlobalAdminCount.md index 7c5a7a22..9f7937c0 100644 --- a/powershell/public/cisa/entra/Test-MtCisaGlobalAdminCount.md +++ b/powershell/public/cisa/entra/Test-MtCisaGlobalAdminCount.md @@ -20,8 +20,5 @@ When counting the number of users assigned to the Global Administrator role, **c * [CISA 7.1 Highly Privileged User Access - MS.AAD.7.1v1](https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/baselines/aad.md#msaad71v1) * [CISA ScubaGear Rego Reference](https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/Rego/AADConfig.rego#L761) -#### Note -Current test only captures active role assignments: https://github.com/maester365/maester/issues/195 - %TestResult% diff --git a/powershell/public/cisa/entra/Test-MtCisaGlobalAdminRatio.md b/powershell/public/cisa/entra/Test-MtCisaGlobalAdminRatio.md index 9bbd708e..e62a7246 100644 --- a/powershell/public/cisa/entra/Test-MtCisaGlobalAdminRatio.md +++ b/powershell/public/cisa/entra/Test-MtCisaGlobalAdminRatio.md @@ -17,8 +17,5 @@ This policy is based on the ratio below: * [CISA 7.2 Highly Privileged User Access - MS.AAD.7.2v1](https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/baselines/aad.md#msaad72v1) * [CISA ScubaGear Rego Reference](https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/Rego/AADConfig.rego#L792) -#### Note -Current test only captures active role assignments: https://github.com/maester365/maester/issues/195 - %TestResult% diff --git a/powershell/public/cisa/entra/Test-MtCisaGlobalAdminRatio.ps1 b/powershell/public/cisa/entra/Test-MtCisaGlobalAdminRatio.ps1 index 1118c037..19dfab14 100644 --- a/powershell/public/cisa/entra/Test-MtCisaGlobalAdminRatio.ps1 +++ b/powershell/public/cisa/entra/Test-MtCisaGlobalAdminRatio.ps1 @@ -48,14 +48,17 @@ Function Test-MtCisaGlobalAdminRatio { $testResult = $false } - $users = $roleAssignments.assignments | Sort-Object id -Unique + $link = "https://entra.microsoft.com/#view/Microsoft_AAD_IAM/RolesManagementMenuBlade/~/AllRoles" if ($testResult) { - $testResultMarkdown = "Well done. Your tenant has more granular role assignments than global admin assignments:`n`n%TestResult%" + $testResultMarkdown = "Well done. Your tenant has more granular [role assignments]($link) than global admin assignments.`n`n%TestResult%" } else { - $testResultMarkdown = "Your tenant does not have enough granular role assignments." + $testResultMarkdown = "Your tenant does not have enough granular [role assignments]($link).`n`n%TestResult%" } - Add-MtTestResultDetail -Result $testResultMarkdown -GraphObjectType Users -GraphObjects $users + $result = "$ratio = $($globalAdministrators.Count) / $($otherAssignments.Count)" + $testResultMarkdown = $testResultMarkdown -replace "%TestResult%", $result + + Add-MtTestResultDetail -Result $testResultMarkdown return $testResult } \ No newline at end of file diff --git a/tests/cisa/entra/Test-MtCisaActivationNotificationGlobalAdmin.Tests.ps1 b/tests/cisa/entra/Test-MtCisaActivationNotificationGlobalAdmin.Tests.ps1 index f1e13d5f..366cd04c 100644 --- a/tests/cisa/entra/Test-MtCisaActivationNotificationGlobalAdmin.Tests.ps1 +++ b/tests/cisa/entra/Test-MtCisaActivationNotificationGlobalAdmin.Tests.ps1 @@ -1,9 +1,9 @@ -BeforeDiscovery { - $EntraIDPlan = Get-MtLicenseInformation -Product EntraID -} - -Describe "CISA SCuBA" -Tag "MS.AAD", "MS.AAD.7.8", "CISA", "Security", "All" -Skip:( $EntraIDPlan -eq "Free" ) { +Describe "CISA SCuBA" -Tag "MS.AAD", "MS.AAD.7.8", "CISA", "Security", "All" { It "MS.AAD.7.8: User activation of the Global Administrator role SHALL trigger an alert." { - Test-MtCisaActivationNotification -GlobalAdminOnly | Should -Be $true -Because "notifications are set for activation of the Global Admin role." + $result = Test-MtCisaActivationNotification -GlobalAdminOnly + + if ($null -ne $result) { + $result | Should -Be $true -Because "notifications are set for activation of the Global Admin role." + } } } \ No newline at end of file diff --git a/tests/cisa/entra/Test-MtCisaActivationNotificationOther.Tests.ps1 b/tests/cisa/entra/Test-MtCisaActivationNotificationOther.Tests.ps1 index 191aa32c..d9560475 100644 --- a/tests/cisa/entra/Test-MtCisaActivationNotificationOther.Tests.ps1 +++ b/tests/cisa/entra/Test-MtCisaActivationNotificationOther.Tests.ps1 @@ -1,9 +1,9 @@ -BeforeDiscovery { - $EntraIDPlan = Get-MtLicenseInformation -Product EntraID -} - -Describe "CISA SCuBA" -Tag "MS.AAD", "MS.AAD.7.9", "CISA", "Security", "All" -Skip:( $EntraIDPlan -eq "Free" ) { +Describe "CISA SCuBA" -Tag "MS.AAD", "MS.AAD.7.9", "CISA", "Security", "All" { It "MS.AAD.7.9: User activation of other highly privileged roles SHOULD trigger an alert." { - Test-MtCisaActivationNotification -GlobalAdminOnly | Should -Be $true -Because "notifications are set for activation of highly privileged roles." + $result = Test-MtCisaActivationNotification + + if ($null -ne $result) { + $result | Should -Be $true -Because "notifications are set for activation of highly privileged roles." + } } } \ No newline at end of file diff --git a/tests/cisa/entra/Test-MtCisaAuthenticatorContext.Tests.ps1 b/tests/cisa/entra/Test-MtCisaAuthenticatorContext.Tests.ps1 index 8ed37819..b7e73c24 100644 --- a/tests/cisa/entra/Test-MtCisaAuthenticatorContext.Tests.ps1 +++ b/tests/cisa/entra/Test-MtCisaAuthenticatorContext.Tests.ps1 @@ -1,13 +1,9 @@ -BeforeDiscovery { - $EntraIDPlan = Get-MtLicenseInformation -Product EntraID - - $result = Get-MtAuthenticationMethodPolicyConfig - - $authenticator = $result | Where-Object { $_.id -eq "MicrosoftAuthenticator" } -} - -Describe "CISA SCuBA" -Tag "MS.AAD", "MS.AAD.3.3", "CISA", "Security", "All" -Skip:( ($EntraIDPlan -eq "Free") -or (Test-MtCisaPhishResistant) -or $authenticator.state -eq "disabled") { +Describe "CISA SCuBA" -Tag "MS.AAD", "MS.AAD.3.3", "CISA", "Security", "All" { It "MS.AAD.3.3: If phishing-resistant MFA has not been enforced and Microsoft Authenticator is enabled, it SHALL be configured to show login context information." { - Test-MtCisaAuthenticatorContext | Should -Be $true -Because "Microsoft Authenticator is configured to show login context information." + $result = Test-MtCisaAuthenticatorContext + + if ($null -ne $result) { + $result | Should -Be $true -Because "Microsoft Authenticator is configured to show login context information." + } } } \ No newline at end of file diff --git a/tests/cisa/entra/Test-MtCisaCrossTenantInboundDefault.Tests.ps1 b/tests/cisa/entra/Test-MtCisaCrossTenantInboundDefault.Tests.ps1 index e789ad68..3fdd8e20 100644 --- a/tests/cisa/entra/Test-MtCisaCrossTenantInboundDefault.Tests.ps1 +++ b/tests/cisa/entra/Test-MtCisaCrossTenantInboundDefault.Tests.ps1 @@ -1,5 +1,5 @@ Describe "CISA SCuBA" -Tag "MS.AAD", "MS.AAD.8.3", "CISA", "Security", "All" { It "MS.AAD.8.3: Guest invites SHOULD only be allowed to specific external domains that have been authorized by the agency for legitimate business purposes." { - Test-MtCisaCrossTenantInboundDefault -GlobalAdminOnly | Should -Be $true -Because "default inbound cross-tenant access policy is set to block." + Test-MtCisaCrossTenantInboundDefault | Should -Be $true -Because "default inbound cross-tenant access policy is set to block." } } \ No newline at end of file diff --git a/tests/cisa/entra/Test-MtCisaDiagnosticSettings.Tests.ps1 b/tests/cisa/entra/Test-MtCisaDiagnosticSettings.Tests.ps1 index e5504eb5..db58a8bc 100644 --- a/tests/cisa/entra/Test-MtCisaDiagnosticSettings.Tests.ps1 +++ b/tests/cisa/entra/Test-MtCisaDiagnosticSettings.Tests.ps1 @@ -1,9 +1,9 @@ -BeforeAll { - $azureSession = Test-MtConnection -Service Azure -} - -Describe "CISA SCuBA" -Tag "MS.AAD", "MS.AAD.4.1", "CISA", "Security", "All" -Skip:((-not $azureSession)) { +Describe "CISA SCuBA" -Tag "MS.AAD", "MS.AAD.4.1", "CISA", "Security", "All" { It "MS.AAD.4.1: Security logs SHALL be sent to the agency's security operations center for monitoring." { - Test-MtCisaDiagnosticSettings | Should -Be $true -Because "diagnostic settings are configured for all logs." + $cisaDiagnosticSettings = Test-MtCisaDiagnosticSettings + + if ($null -ne $cisaDiagnosticSettings) { + $cisaDiagnosticSettings | Should -Be $true -Because "diagnostic settings are configured for all logs." + } } } \ No newline at end of file